https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514898#M144543 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224144">@CarbonCriterium</a>&nbsp;, in the last query&nbsp;</P><P>..| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100</P><P>below sort will do nothing as the field used for sorting does not exist in the result</P><P>...| sort -sc_bytes</P><P>and below is taking 100 results (after the stats command) from the top&nbsp;</P><P>....| head 100</P><P>Are you seeing any different behavior?&nbsp;&nbsp;</P> Wed, 19 Aug 2020 10:32:03 GMT Nisha18789 2020-08-19T10:32:03Z https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514777#M144496 <P>I have four versions of a nearly identical search.&nbsp; The last one returns a completely different result.&nbsp; What is it about the interaction of the "sort" and "head" commands that changes the outcome?</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -sc_bytes ...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes ...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes | head 100 ...| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 18 Aug 2020 21:17:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514777#M144496 CarbonCriterium 2020-08-18T21:17:51Z https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514898#M144543 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224144">@CarbonCriterium</a>&nbsp;, in the last query&nbsp;</P><P>..| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100</P><P>below sort will do nothing as the field used for sorting does not exist in the result</P><P>...| sort -sc_bytes</P><P>and below is taking 100 results (after the stats command) from the top&nbsp;</P><P>....| head 100</P><P>Are you seeing any different behavior?&nbsp;&nbsp;</P> Wed, 19 Aug 2020 10:32:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514898#M144543 Nisha18789 2020-08-19T10:32:03Z https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514946#M144550 <P>The head command appears to work correctly, but the results do not match up.&nbsp; In the attached screenshot the values that have the greatest value in GB do not have the greatest value in Bytes.&nbsp;&nbsp;</P> Wed, 19 Aug 2020 13:36:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514946#M144550 CarbonCriterium 2020-08-19T13:36:30Z https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514955#M144551 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224144">@CarbonCriterium</a>&nbsp;, can you try this once and see it that helps</P><P>&nbsp;</P><P><SPAN>..| stats sum(sc_bytes) as bytes by cs_uri_stem | eval Gigabytes=bytes/1073741824|sort - Gigabytes | head 100</SPAN></P> Wed, 19 Aug 2020 14:15:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-these-seemingly-identical-searches-return-different/m-p/514955#M144551 Nisha18789 2020-08-19T14:15:48Z