topic Re: count of a field, and then sort by day in Splunk Search

count of a field, and then sort by day

barneser — Wed, 30 Sep 2020 03:11:31 GMT

Im looking to count by a field and that works with first part of syntex , then sort it by date.
both work independantly ,but not together.

Any ideas?

index=profile_new| stats count(cn1) by cs2 | stats count as daycount by date_mday

Re: count of a field, and then sort by day

gcusello — Thu, 05 Dec 2019 12:11:07 GMT

Hi @barneser,
after a stats command, you have only the fields that you used in the stats command.
So in your example, after the first stats command you have only count(cn1) and cs2, you haven't more date_mday or other fields.
If you need another field you have to add it to stats command using values or earliest (for dates).
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Stats .

Anyway, if you could describe better what you want to have as result, I could help you, because I don't understand your requisite.

In other words, if you run a statistic for cs2, what do you mean with "sort by date"?

Ciao.
Giuseppe

Re: count of a field, and then sort by day

kamlesh_vaghela — Thu, 05 Dec 2019 12:12:51 GMT

@barneser

Can you please share more details with sample output?? meanwhile can you please try this ?

index=profile_new | chart count(cn1) over date_mday by cs2 | sort date_mday