Getting Data In

Why is the event sort not reflecting in Statistics tab?

mawomommoh
Path Finder

I have an xml containing steps with timestamps. When I run a search, I am able to sort the events based on the timestamps I have extracted from the xml.

In the Events tab, my xml steps sort properly based on the timestamp, but when I switch to the Statistics tab, my xml steps(events) appear in alphabetical order instead of sorting based on the timestamp.

Why does the sort work when in the Events tab but not when in the Statistics tab when the search query is the same?

Any help will be appreciated.

Thanks

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

host=XXXX index=XXXX 
 | eval NewTime=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N") | eval _time=NewTime 
 | sort _time| eventstats max(_time) AS lastestScan by Description 
 | where _time=lastestScan | stats count by _time Description, StepResult| eval color=case(StepResult=="Passed","green",StepResult=="Skipped","gold", StepResult=="Failed","red")
 | eval StepResult = Description

This will give results sorted ascending order of _time. If you want descending order, just add | sort -_time in the end.

Also, your last eval just overwrites value of StepResult field with value of Description field. Do you want to show two field with same value here?

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

host=XXXX index=XXXX 
 | eval NewTime=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N") | eval _time=NewTime 
 | sort _time| eventstats max(_time) AS lastestScan by Description 
 | where _time=lastestScan | stats count by _time Description, StepResult| eval color=case(StepResult=="Passed","green",StepResult=="Skipped","gold", StepResult=="Failed","red")
 | eval StepResult = Description

This will give results sorted ascending order of _time. If you want descending order, just add | sort -_time in the end.

Also, your last eval just overwrites value of StepResult field with value of Description field. Do you want to show two field with same value here?

mawomommoh
Path Finder

It worked. Thanks!

Yes, based on what I am working on I need those two fields to have the same value.

You can add your answer so I give you credit.

Thanks for the assistance once again. 🙂

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@mawomommoh - We converted @somesoni2's comment to an answer so you can accept it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The Events tab shows the events show in default sorting of reverse chronological (recent events first). The result in Statistics tabs are shown based on SPL that you've written. If your query generates a timestamp in string format, the string sort would be applied. Generally, we'd say to apply sorting in epoch format for accurate results and then convert to string format. More accurate suggestions can be provided if you can share you current search.

0 Karma

mawomommoh
Path Finder

This is my current search:

host=XXXX index=XXXX 
| eval NewTime=strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N") | eval _time=NewTime 
| sort _time| eventstats max(_time) AS lastestScan by Description 
| where _time=lastestScan | stats count by Description, StepResult| eval color=case(StepResult=="Passed","green",StepResult=="Skipped","gold", StepResult=="Failed","red")
            | eval StepResult = Description

'StartTime' is the extracted field from the xml. It sorts fine in the Events tab but not in the Statistics tab.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You're not using _time field in your final result (in stats command). Your result will be sorted by Description and StepResult field values. Could you explain what sorting you're expecting in Statistics tab???

0 Karma

mawomommoh
Path Finder

Oh, I see. I am expecting sorting based on _time field in the Statistics tab. How do I go about that?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...