Splunk Search

sort descending avg time field in results

MOHITJOSHI
Engager

i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked

eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app

the results table has fields Transaction_GroupName, count:v, avg_time:v

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MOHITJOSHI,
I haven't your data so I cannot test your search, but you cannot put an eval in a chart command in that way and I think that you don't need, try something like this:

index=your_index
| chart limit=200 avg(diff) as avg_time over Transaction_GroupName BY v
| eval  avg_time=round(avg_time,2)

The problem is that avg_time isn't a column of the table because as column you have v so you cannot sort by avg_time and that you cannot have two fields in chart command.

To have avg_time as a column you have to use the command stats, having in two different columns Transaction_GroupName and v, something like this:

index=your_index
| stats avg(diff) as avg_time count BY Transaction_GroupName v
| eval  avg_time=round(avg_time,2)
| sort 200 -avg_time

I don't know if it could be acceptable for you.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...