Solved: Sort by event count

rockb · ‎11-18-2021

I have panel on a dashboard that lists events in a security log. I can list them by Event ID but I would like it listed by Event ID count so that the most frequent are at the top. If I change "count by Event" to "count by count" I get an error "The output field 'count ' cannot have the same name as a group by field."

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event</query>

How do I get it to list them in descending order by count?

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-18-2021

Counting and ordering are different operations. Once you have the count, put the results in order using the sort command.

<query>index="wineventlog" $Site_Token$ $Cmptr_Token$ $Type$ LogName="Security" Type=Information | stats count by Event | sort 0 - count</query>

---
If this reply helps you, Karma would be appreciated.

Sort by event count

panel

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Sort by event count

panel

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!