Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does this search not sort

timrich66
Communicator
‎01-04-2022 03:51 AM

I am running this search to return batch job run times.

index=sr_prd sourcetype=batch_roylink earliest=-7d@d
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval s=round(s,2)
| eval e=round(e,2)
| eval r=tostring(e-s, "duration")
| rename "Scheduled_Batch_StartTime" as "Start Time", "Scheduled_Batch_Endtime" as "End Time", r as "Runtime (H:M:S)"
| stats list(s) as "s", list("Start Time") as "Start Time",list("End Time") as "End Time", list("Runtime (H:M:S)") as "Runtime (H:M:S)" by Task_Object
| search Task_Object = Roylink_Upload
| sort s

Even though 's' is a numeric string, the results are not returning in search order - 

timrich66_0-1641297015475.png

Any ideas why this is happening?  Thanks

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-04-2022 04:03 AM

By the time you are sorting, s is already a multivalue field. Try:

index=sr_prd sourcetype=batch_roylink earliest=-7d@d
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval s=round(s,2)
| eval e=round(e,2)
| eval r=tostring(e-s, "duration")
| rename "Scheduled_Batch_StartTime" as "Start Time", "Scheduled_Batch_Endtime" as "End Time", r as "Runtime (H:M:S)"
| sort s
| stats list(s) as "s", list("Start Time") as "Start Time",list("End Time") as "End Time", list("Runtime (H:M:S)") as "Runtime (H:M:S)" by Task_Object
| search Task_Object = Roylink_Upload

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-04-2022 04:20 AM

As suggested on the previous reply, | stats list(s) as "s" this will list out all values of "s" and assign it "s"... simply making it the field "s" as a multivalue field. 

so, run the sort command before doing this stats list operation. 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-04-2022 04:03 AM

By the time you are sorting, s is already a multivalue field. Try:

index=sr_prd sourcetype=batch_roylink earliest=-7d@d
| eval s=strptime(Scheduled_Batch_StartTime, "%Y-%m-%d %H:%M:%S.%Q")
| eval e=strptime(Scheduled_Batch_Endtime, "%Y-%m-%d %H:%M:%S.%Q")
| eval s=round(s,2)
| eval e=round(e,2)
| eval r=tostring(e-s, "duration")
| rename "Scheduled_Batch_StartTime" as "Start Time", "Scheduled_Batch_Endtime" as "End Time", r as "Runtime (H:M:S)"
| sort s
| stats list(s) as "s", list("Start Time") as "Start Time",list("End Time") as "End Time", list("Runtime (H:M:S)") as "Runtime (H:M:S)" by Task_Object
| search Task_Object = Roylink_Upload
Reply
Solved! Jump to solution

timrich66
Communicator
‎01-04-2022 04:16 AM

Thank you, that is perfect.  (I've removed 's' from the final table as not required).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...