https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505199#M141175 <P>It's not clear what results you want.&nbsp; Can you provide a mockup of the desired output?</P><P>Have you tried putting both columns in the stats command?</P><LI-CODE lang="markup">| stats values(*) as * by idnumber</LI-CODE> Fri, 19 Jun 2020 14:20:59 GMT richgalloway 2020-06-19T14:20:59Z https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505182#M141168 <P>Hi All,</P><P>I'm trying to combine a number of fields using:</P><P>| stats values(task_name) as task_name by idnumber</P><P><BR />This works great when it comes to timestamps associated with the idnumber, but for<BR />the tasks associated with it, splunk sorts it alphabetically.</P><P>This leads to problems down the line when we try to see which task was executed first.</P><P>Part of the problem is that the number of timestamps can differ from the number of tasks<BR />so to make a new field with timestamp and task combined does not work.</P><P>#original data:<BR />sysmodtime,task_name,idnumber<BR />05/01/20 12:00 PM,one,1<BR />05/01/20 12:01 AM,two,1<BR />05/01/20 12:02 AM,two,1<BR />05/01/20 12:02 AM,two,1<BR />05/02/20 12:00 PM,one,2<BR />04/02/20 12:00 AM,one,2<BR />04/02/20 01:00 AM,one,2<BR />04/02/20 02:00 AM,one,3<BR />05/04/20 12:00 PM,one,4<BR />05/03/20 12:00 PM,two,4<BR />05/03/20 12:01 PM,three,4<BR />05/03/20 12:02 PM,four,4<BR />05/03/20 12:40 PM,five,4<BR />05/03/20 12:50 PM,six,4</P><P><BR />#the conflicting results after stats command (see attachment)</P><P>Any advice would be welcome<BR />Cheers,<BR />Roelof</P> Fri, 19 Jun 2020 12:43:43 GMT https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505182#M141168 rvsroe 2020-06-19T12:43:43Z https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505199#M141175 <P>It's not clear what results you want.&nbsp; Can you provide a mockup of the desired output?</P><P>Have you tried putting both columns in the stats command?</P><LI-CODE lang="markup">| stats values(*) as * by idnumber</LI-CODE> Fri, 19 Jun 2020 14:20:59 GMT https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505199#M141175 richgalloway 2020-06-19T14:20:59Z https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505442#M141246 <P>Hi Richgalloway, thanks for the reply, the atachment in the main question shows the erroneous results, with the tasks sorted alphabetically instead of matched with the timestamp, so for example for id number 1 there are 6 tasks and 6 time stamps,&nbsp; the stats command (placing both columns inside stats) gives:</P><P>sysmodtime, task_name, idnumber<BR />05/04/20 12:00 PM, five, 4<BR />05/03/20 12:00 PM, four,<BR />05/03/20 12:01 PM, one,<BR />05/03/20 12:02 PM, six.<BR />05/03/20 12:40 PM, three,<BR />05/03/20 12:50 PM, two,</P><P>whereas the order should be simply; one, two, three, four, five, six</P><P>Solutions that make a new field using sysmodtime and task_name fail since number of tasks<BR />and number of sysmodtime are not equal in all cases.</P> Mon, 22 Jun 2020 08:45:29 GMT https://community.splunk.com/t5/Splunk-Search/Alphabetically-sorting-a-MVfield/m-p/505442#M141246 rvsroe 2020-06-22T08:45:29Z