I previously had a query on grouping results from a search and I received a great deal of help in shaping this query. I did not realize until after applying the search string that it wasn't quite ordering the results as I had thought. The following query sorts reverse alphabetically followed by descending order of bandwidth taken by each destination IP within the app. I am working with the following search string:

index=traffic report=AppsDst | eval MegaBits=round((nbytes*(8/3600))*pow(10,-6),2) | stats sum(MegaBits) as MegaBits_per_Sec by app, dst | sort - app MegaBits_per_Sec | streamstats current=f last(app) as previousApp | eval app=if(match(app,previousApp),"",app)| fields - previousApp | rename app as Application, dst as Destination_IP

Ideally I would like to have the apps sorted first separately by their respective bandwidths, then they are broken out by the bandwidth of each IP within the Apps. I currently have a working dashboard with these two aspects separated via a drill-down. The following searches are within the dashboard:

index=traffic report=AppsDst | eval MegaBits=(nbytes*(8/3600))*pow(10,-6) | stats sum(MegaBits) as MegaBits_per_Sec by app | sort -MegaBits_per_Sec

When an application is selected it displays a drilldown table below with the following search:

index=traffic report=AppsDst | eval MegaBits_per_Sec=(nbytes*(8/3600))*pow(10,-6) | stats sum(MegaBits_per_Sec) as MegaBits_per_Sec by dst | sort -MegaBits_per_Sec | rename dst as Destination_IP

I am at mental roadblock trying to figure out if it is possible to integrate the organization/formatting from the drilldown tables into a single search string. The issue with the first search string is that it isn't sorting the apps field based on the MegaBits_per_Sec field. Any help is greatly appreciated as the current drilldown dashboard I have is not as accommodating for extraction via CSV.

Thank you for any help,

Alex