https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634957#M220579 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252798">@buttsurfer</a>,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sort" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sort</A>&nbsp;yu could use:</P><LI-CODE lang="markup">| sort 0 feature</LI-CODE><P>in this way you don't limit results.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Mar 2023 16:30:32 GMT gcusello 2023-03-17T16:30:32Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634951#M220575 <P>I have a very simple search and when I add the sort command i lose almost 90% of my actual results.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="features" application=kokoapp type=userStats | sort feature | dedup feature | table feature </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Without the sort command I get 35 results and with it included i only get 4 results. Is there something I am missing?</P> Mon, 20 Mar 2023 14:43:31 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634951#M220575 buttsurfer 2023-03-20T14:43:31Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634954#M220576 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252798">@buttsurfer</a>,</P><P>sort cuts results only if you have more than 10,000 results.</P><P>probably is dedup that deletes some events.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Mar 2023 16:11:36 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634954#M220576 gcusello 2023-03-17T16:11:36Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634955#M220577 <P>Turns out there actually are over 10,000 results. But I need them all - is there a workaround to this?</P> Fri, 17 Mar 2023 16:14:38 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634955#M220577 buttsurfer 2023-03-17T16:14:38Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634957#M220579 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/252798">@buttsurfer</a>,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sort" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sort</A>&nbsp;yu could use:</P><LI-CODE lang="markup">| sort 0 feature</LI-CODE><P>in this way you don't limit results.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 17 Mar 2023 16:30:32 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634957#M220579 gcusello 2023-03-17T16:30:32Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634960#M220581 <P>10k limit for sort is one thing but if you say that you get 4 out of 35 results, that's way under 10k <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Remember that dedup works by leaving first event with given field(s) and then dropping other subsequent results with this field(s). So it is most probably the culprit here. When you sort by a field then dedup by this field you'll effectively leave just one event per each possible value of this field.</P> Fri, 17 Mar 2023 16:57:38 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634960#M220581 PickleRick 2023-03-17T16:57:38Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634989#M220597 <P>You can try to raise limit in&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf" target="_blank" rel="noopener">limits.conf</A>. &nbsp;But I don't understand what you mean by you need all &gt;10,000 results because your dedup without sort only gives you 35.</P><P>If you want to sort by feature, sort after dedup. (Sort is memory-intensive; performing sort on any sizable chunk should always be deliberate.)</P><LI-CODE lang="markup">index="features" application=kokoapp type=userStats | dedup feature | sort feature | table feature </LI-CODE><P>This should give you the same desired result.</P> Fri, 17 Mar 2023 23:35:45 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634989#M220597 yuanliu 2023-03-17T23:35:45Z https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634991#M220599 <P>Definitely you should 1st dedup and then sort. Otherwise there is possibility that you hit 10k limits and even that you wasted resources.</P> Fri, 17 Mar 2023 23:40:38 GMT https://community.splunk.com/t5/Splunk-Search/Sort-command-causing-lost-records/m-p/634991#M220599 isoutamo 2023-03-17T23:40:38Z