my search results are displayed as table . some thing like this..
host sourcetype count
acer splunkd 614130
acer splunkd_access 17963
acer splunk_web_access 11289
acer splunk_web_service 1922
acer splunk_btool 1288
acer searches 87
acer first_install-too_small 4
acer splunk_intentions 2
acer splunk_version 1
Now i want the count field to be sorted in ascending order..so i have used the sort query to my ouput table...now i need the table to print as a single record as below...
host splunkd splunkd_access ...
acer 614130 17963 ...
Tried chart command ...but couldnt get the result.plz help.
sure. The easiest way is to tack this on the end:
| chart sum(count) as count over host by sourcetype
However, assuming that the search generating your current results is something like
stats count by host sourcetype
then the much more elegant way is to replace that stats clause, with this chart clause:
chart count over host by sourcetype
and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort
and head
operators in there, as necessary.
As stated earlier, I believe you cannot sort the column order.
dont we have any other way to acheive this !
sure. The easiest way is to tack this on the end:
| chart sum(count) as count over host by sourcetype
However, assuming that the search generating your current results is something like
stats count by host sourcetype
then the much more elegant way is to replace that stats clause, with this chart clause:
chart count over host by sourcetype
and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort
and head
operators in there, as necessary.
actually the table which i mentioned doesnt show the records in sorted order..so have sort command followed by the stats..and then tried to use the chart command..But i am not getting the desired results..
I have used something like this..
stats count by host sourcetype | sort - count | chart count over host by sourcetype
but then i couldnt see the results in sorted order..
I'm not sure what part of my answer wasn't clear, or didn't answer your question?
I want to display the results in the sorted order..so i am using the sort command..and these results should be displayed as a single record..so using chart command again...plz help
Note that I said if you are appending it after the stats, you will have to use "chart sum(count) as count". It's only if you're replacing the stats that you can use "chart count". There's really no reason to do the stats, and then a sort, and then a chart. As I said the much better way is to replace the stats with the chart, and I don't think I completely understand what you're trying to do with the sort.
i would like to use the sort command ..after the
stats count by host sourcetype | sort - count
now when i am trying to append
chart count over host by sourcetype
i am not getting the results...
i have used like this ..
index=_internal [some logic] | stats count by host sourcetype | sort - count | chart count over host by sourcetype
but this didnt work..need the complete query using sort..thanx in advance.