Solved: Sort by event count

rockb · ‎11-18-2021

I have panel on a dashboard that lists events in a security log. I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top. If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field."

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query>

How do I get it to list them in descending order by count?

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

Sort by event count

panel

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Sort by event count

panel

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience