https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285461#M86370 <P>Hi all,</P> <P>I have the following search </P> <PRE><CODE>"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) </CODE></PRE> <P>Which returns a table that looks something like this:</P> <PRE><CODE> Machine_Serial count Bundle time Date time_diff tim_diff(H) ____________________________________________________________________________________________ 75123 3 1.1 1458049413 2016/03/16 6702139.000000 1134.5710532407 1.3 1458053068 2013/04/2 98026939.000000 1135.5710532407 1.4 1464618084 2013/04/23 98113339.000000 77.57105324074 -------------------------------------------------------------------------------------------- 75334 1 1.5 1464788901 2012/10/17 114356539.000000 1323.57105324074 </CODE></PRE> <P>I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this? </P> <P>Thank you in advance.</P> Wed, 01 Jun 2016 21:09:36 GMT raby1996 2016-06-01T21:09:36Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285461#M86370 <P>Hi all,</P> <P>I have the following search </P> <PRE><CODE>"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) </CODE></PRE> <P>Which returns a table that looks something like this:</P> <PRE><CODE> Machine_Serial count Bundle time Date time_diff tim_diff(H) ____________________________________________________________________________________________ 75123 3 1.1 1458049413 2016/03/16 6702139.000000 1134.5710532407 1.3 1458053068 2013/04/2 98026939.000000 1135.5710532407 1.4 1464618084 2013/04/23 98113339.000000 77.57105324074 -------------------------------------------------------------------------------------------- 75334 1 1.5 1464788901 2012/10/17 114356539.000000 1323.57105324074 </CODE></PRE> <P>I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this? </P> <P>Thank you in advance.</P> Wed, 01 Jun 2016 21:09:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285461#M86370 raby1996 2016-06-01T21:09:36Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285462#M86371 <P>Try sorting before the stats command?</P> Wed, 01 Jun 2016 22:58:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285462#M86371 sundareshr 2016-06-01T22:58:00Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285463#M86372 <P>I've tried that, and the results are the same, still I appreciate the help.</P> Thu, 02 Jun 2016 00:17:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285463#M86372 raby1996 2016-06-02T00:17:50Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285464#M86373 <P>Give this a try</P> <PRE><CODE>"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats count by Machine_Serial Bundle _time time2 time_diff times | sort 0 Machine_Serial -num(timed) | stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H)) </CODE></PRE> Thu, 02 Jun 2016 04:52:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285464#M86373 somesoni2 2016-06-02T04:52:04Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285465#M86374 <P>Worked flawlessly, thank you.</P> Thu, 02 Jun 2016 18:16:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285465#M86374 raby1996 2016-06-02T18:16:45Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285466#M86375 <P>one note I changed the "times" to" timed" at the end of the 4th line</P> Thu, 02 Jun 2016 18:17:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-sort-individual-values-in-fields/m-p/285466#M86375 raby1996 2016-06-02T18:17:37Z