https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365220#M107709 <P>I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically. </P> <PRE><CODE>index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total </CODE></PRE> <P>Any idea as to what I'm missing or not doing correctly?<BR /> Thx</P> Mon, 14 Aug 2017 19:36:32 GMT jwalzerpitt 2017-08-14T19:36:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365220#M107709 <P>I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically. </P> <PRE><CODE>index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total </CODE></PRE> <P>Any idea as to what I'm missing or not doing correctly?<BR /> Thx</P> Mon, 14 Aug 2017 19:36:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365220#M107709 jwalzerpitt 2017-08-14T19:36:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365221#M107710 <P>Modified search to as below, but still no luck</P> <PRE><CODE>index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total </CODE></PRE> Mon, 14 Aug 2017 19:39:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365221#M107710 jwalzerpitt 2017-08-14T19:39:47Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365222#M107711 <P>What sort order are you getting?</P> Mon, 14 Aug 2017 19:54:30 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365222#M107711 richgalloway 2017-08-14T19:54:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365223#M107712 <P>I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:</P> <PRE><CODE> cmd.exe notepad++.exe Update.exe aruser.exe firefox.exe runonce.exe Box Edit.exe Box Local Com Service.exe CCleaner64.exe DellSystemDetect.exe IAStorIconLaunch.exe ImageTray.exe ONENOTEM.EXE OUTLOOK.EXE OneDrive.exe RDCMan.exe SnippingTool.exe WINWORD.EXE chrome.exe explorer.exe lync.exe netsession_win.exe vmtoolsd.exe </CODE></PRE> Mon, 14 Aug 2017 20:00:04 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365223#M107712 jwalzerpitt 2017-08-14T20:00:04Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365224#M107713 <P>The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try</P> <PRE><CODE>index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total </CODE></PRE> <P>Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)</P> Mon, 14 Aug 2017 20:38:49 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365224#M107713 somesoni2 2017-08-14T20:38:49Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365225#M107714 <P>Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field. </P> <PRE><CODE>index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total </CODE></PRE> <P>Please copy your reply into the answer field so I can mark it as such, and thx again for the help!</P> Mon, 14 Aug 2017 20:49:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365225#M107714 jwalzerpitt 2017-08-14T20:49:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365226#M107715 <P>Here you go.</P> Mon, 14 Aug 2017 20:53:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365226#M107715 somesoni2 2017-08-14T20:53:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365227#M107716 <P>Thx again!</P> Mon, 14 Aug 2017 20:57:28 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-sort-a-field-alphabetically-and-then-by-total/m-p/365227#M107716 jwalzerpitt 2017-08-14T20:57:28Z