topic Re: How to sort by field? in Splunk Search

How to sort by field?

jackpal — Wed, 27 Jun 2018 15:08:54 GMT

I am trying to get the highest used process percentage by user, however, I am unable to sort by the field I want to.

index=os sourcetype=top host=hostname
| chart sum(pctCPU) as CPU_USAGE by USER,COMMAND
| sort sum(pctCPU) desc 
| head 5

This produces a table but I'd like the chart to only show the top 5 users and the commands they are running sorted by their CPU_USAGE

renjith_nair — Wed, 27 Jun 2018 15:55:39 GMT

Hi @jackpal,

Try

index=os sourcetype=top host=hostname |fields USER,pctCPU,COMMAND|sort pctCPU desc|head 5| chart sum(pctCPU) as CPU_USAGE by USER,COMMAND

This will sort based on cpu usage not on the sum . If you need to sort on sum of cpu usage of a user then , try

    index=os sourcetype=top host=hostname |stats sum(pctCPU) as CPU_USAGE by USER,COMMAND
    |sort CPU_USAGE desc|head 5

cpetterborg — Wed, 27 Jun 2018 16:04:51 GMT

Does this do it for you?:

index=os sourcetype=top host=hostname
| stats sum(pctCPU) as CPU_USAGE by USER,COMMAND
| sort - CPU_USAGE
| head 5

jackpal — Wed, 27 Jun 2018 17:39:54 GMT

Thanks to all who responded.