sort descending avg time field in results

New Member

i have a field "avgtime" which i want to display in descending order. tried sort -avgtime but didn't worked

eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avgtime count over TransactionGroupName by v usenull=false. v is version of app

the results table has fields TransactionGroupName, count:v, avgtime:v

Tags (1)
0 Karma

Re: sort descending avg time field in results


I haven't your data so I cannot test your search, but you cannot put an eval in a chart command in that way and I think that you don't need, try something like this:

| chart limit=200 avg(diff) as avg_time over Transaction_GroupName BY v
| eval  avg_time=round(avg_time,2)

The problem is that avgtime isn't a column of the table because as column you have v so you cannot sort by avgtime and that you cannot have two fields in chart command.

To have avgtime as a column you have to use the command stats, having in two different columns TransactionGroupName and v, something like this:

| stats avg(diff) as avg_time count BY Transaction_GroupName v
| eval  avg_time=round(avg_time,2)
| sort 200 -avg_time

I don't know if it could be acceptable for you.


0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.