https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193788#M55850 <P>Hi:</P> <P>I'hope sort after limit row, i try head or sort limit or top...but fail, what can i do?<BR /> Thank you</P> <PRE><CODE>sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidth(MB)) as bandwidth(MB) by srcip| table srcip,dstip,app,hostname bandwidth(MB)|sort bandwidth(MB) desc </CODE></PRE> <P>now:</P> <P>srcip dstip ... bandwidth(MB)<BR /> 1.1.1.1 2.2.2.2 5<BR /> 3.3.3.3 5<BR /> 4.4.4.4 5<BR /> ....<BR /> 10.10.10.10</P> <P>hope modify to dstip limit 3:</P> <P>srcip dstip ... bandwidth(MB)<BR /> 1.1.1.1 2.2.2.2 5<BR /> 3.3.3.3 5<BR /> 4.4.4.4 5</P> Wed, 19 Mar 2014 05:12:26 GMT chengyu 2014-03-19T05:12:26Z https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193788#M55850 <P>Hi:</P> <P>I'hope sort after limit row, i try head or sort limit or top...but fail, what can i do?<BR /> Thank you</P> <PRE><CODE>sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidth(MB)) as bandwidth(MB) by srcip| table srcip,dstip,app,hostname bandwidth(MB)|sort bandwidth(MB) desc </CODE></PRE> <P>now:</P> <P>srcip dstip ... bandwidth(MB)<BR /> 1.1.1.1 2.2.2.2 5<BR /> 3.3.3.3 5<BR /> 4.4.4.4 5<BR /> ....<BR /> 10.10.10.10</P> <P>hope modify to dstip limit 3:</P> <P>srcip dstip ... bandwidth(MB)<BR /> 1.1.1.1 2.2.2.2 5<BR /> 3.3.3.3 5<BR /> 4.4.4.4 5</P> Wed, 19 Mar 2014 05:12:26 GMT https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193788#M55850 chengyu 2014-03-19T05:12:26Z https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193789#M55851 <P>I am not sure exactly what you want here, but you have some errors in your search. First <CODE>(</CODE> is not a valid character in a field name, unless you enclose it in quotation marks (sometimes double quotes and sometimes single quotes). So I suggest that you use a different field name like <CODE>bandwidthMB</CODE> to avoid this problem.</P> <PRE><CODE>sourcetype=xxx |eval bandwidth=rcvdbyte+sentbyte | eval bandwidthMB = round(bandwidth/1024/1024,2) | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip | sort 10 -bandwidthMB </CODE></PRE> <P>By adding the <CODE>10</CODE> into the <CODE>sort</CODE> command, you will only see the top 10 values of bandwidthMB</P> <P>If you only want to see the top 3 values of <CODE>dstip</CODE>, you can do this:</P> <PRE><CODE>sourcetype=xxx | eval bandwidthMB=round((rcvdbyte+sentbyte )/1024/1024,2) | stats count sum(bandwidthMB) as bandwidthMB by dstip app hostname srcip | sort srcip -count | stats list(dstip) as dstip values(app) as app values(hostname) as hostname sum(bandwidthMB) as bandwidthMB by srcip | eval dstipList = mvjoin(dstip,";") | eval dstipList = replace(dstipList,"^(.+?;.+?;.+?);.*","\1") | eval dstip=split(dstipList,";") | fields - dstipList | sort 10 -bandwidthMB </CODE></PRE> Wed, 19 Mar 2014 07:38:53 GMT https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193789#M55851 lguinn2 2014-03-19T07:38:53Z https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193790#M55852 <P>Thank you so much.</P> Wed, 19 Mar 2014 08:31:49 GMT https://community.splunk.com/t5/Splunk-Search/sort-after-limit-row/m-p/193790#M55852 chengyu 2014-03-19T08:31:49Z