Solved: Sort by event count

rockb · ‎11-18-2021

I have panel on a dashboard that lists events in a security log. I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top. If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field."

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query>

How do I get it to list them in descending order by count?

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

Sort by event count

panel

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...