Solved: Sort by event count

rockb · ‎11-18-2021

I have panel on a dashboard that lists events in a security log. I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top. If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field."

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query>

How do I get it to list them in descending order by count?

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

Sort by event count

panel

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation