https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478197#M134131 <P>@gcusello Hello Sir, first of all, Happy New Year to you and your family.<BR /> Here for the file, we have values like. How do they even look like they are sorted</P> <P>product.screen<BR /> cart.do<BR /> category.screen<BR /> oldlink<BR /> success.do<BR /> passwords.pdf<BR /> error.do<BR /> userlist<BR /> account<BR /> api</P> Wed, 01 Jan 2020 04:42:19 GMT palisetty 2020-01-01T04:42:19Z https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478195#M134129 <P>I used the following query where I used '-' just beside "Total bytes" without space. As per my understanding, if we have multiple fields after sort and when use '-' just next to the field that field will be sorted descending and the other fields are sorted in ascending order. But I am not getting desired results. Kindly correct me if I am wrong.</P> <P>index="main" host="web_application" status=200<BR /> | stats sum(bytes) as "Total bytes" by file<BR /> | sort -"Total bytes" file</P> <P>file Total bytes<BR /> product.screen 123344678<BR /> cart.do 122623448<BR /> category.screen 84500260<BR /> oldlink 82699602<BR /> success.do 67725818<BR /> passwords.pdf 22207970<BR /> error.do 7495294<BR /> userlist 55380<BR /> account 8476<BR /> api 2912</P> Tue, 31 Dec 2019 14:17:49 GMT https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478195#M134129 palisetty 2019-12-31T14:17:49Z https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478196#M134130 <P>Hi @palisetty,<BR /> it's correct: in your search you sorted at first descending by "Total bytes" (the first field with -) and then all the equal values of "Total bytes" are sorted ascending by file, so it's correct the order you have.</P> <P>But what's the order you want in your results?</P> <P>Ciao and Happy New Year.<BR /> Giuseppe</P> Tue, 31 Dec 2019 14:29:48 GMT https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478196#M134130 gcusello 2019-12-31T14:29:48Z https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478197#M134131 <P>@gcusello Hello Sir, first of all, Happy New Year to you and your family.<BR /> Here for the file, we have values like. How do they even look like they are sorted</P> <P>product.screen<BR /> cart.do<BR /> category.screen<BR /> oldlink<BR /> success.do<BR /> passwords.pdf<BR /> error.do<BR /> userlist<BR /> account<BR /> api</P> Wed, 01 Jan 2020 04:42:19 GMT https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478197#M134131 palisetty 2020-01-01T04:42:19Z https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478198#M134132 <P>Hi @palisetty,<BR /> sorry! I was sleeping whatching that vales were sorted!<BR /> Anyway, I used sort command with your data and I have a correct sort, as you can see in this example:</P> <PRE><CODE>| makeresults | eval ppp="product.screen 123344678,cart.do 122623448,category.screen 84500260,oldlink 82699602,success.do 67725818,passwords.pdf 22207970,error.do 7495294,userlist 55380,account 8476,api 2912" | makemv ppp delim="," | mvexpand ppp | rex field=ppp "(?&lt;file&gt;[^ ]*)\s+(?&lt;Total_bytes&gt;[^ ]*)" | table file Total_bytes | sort -Total_bytes file </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Thu, 02 Jan 2020 08:09:16 GMT https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478198#M134132 gcusello 2020-01-02T08:09:16Z https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478199#M134133 <P>can you explain what those files listed actually are for ? What value do they have ? <BR /> product.screen<BR /> cart.do<BR /> category.screen<BR /> oldlink<BR /> success.do<BR /> passwords.pdf<BR /> error.do<BR /> userlist<BR /> account<BR /> api</P> Thu, 14 May 2020 21:16:07 GMT https://community.splunk.com/t5/Splunk-Search/sort-not-working-as-expected/m-p/478199#M134133 jcorcoran508 2020-05-14T21:16:07Z