sort descending avg time field in results

MOHITJOSHI · ‎04-07-2020

i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked

eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app

the results table has fields Transaction_GroupName, count:v, avg_time:v

gcusello · ‎04-07-2020

Hi @MOHITJOSHI,
I haven't your data so I cannot test your search, but you cannot put an eval in a chart command in that way and I think that you don't need, try something like this:

index=your_index
| chart limit=200 avg(diff) as avg_time over Transaction_GroupName BY v
| eval  avg_time=round(avg_time,2)

The problem is that avg_time isn't a column of the table because as column you have v so you cannot sort by avg_time and that you cannot have two fields in chart command.

To have avg_time as a column you have to use the command stats, having in two different columns Transaction_GroupName and v, something like this:

index=your_index
| stats avg(diff) as avg_time count BY Transaction_GroupName v
| eval  avg_time=round(avg_time,2)
| sort 200 -avg_time

I don't know if it could be acceptable for you.

Ciao.
Giuseppe

sort descending avg time field in results

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes