Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I sort a field alphabetically and then by total?

jwalzerpitt
Influencer
‎08-14-2017 12:36 PM

I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically. 

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total

Any idea as to what I'm missing or not doing correctly?
Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-14-2017 01:38 PM

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-14-2017 01:38 PM

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎08-14-2017 01:49 PM

Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field. 

index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please copy your reply into the answer field so I can mark it as such, and thx again for the help!

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-14-2017 01:53 PM

Here you go.

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎08-14-2017 01:57 PM

Thx again!

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎08-14-2017 12:39 PM

Modified search to as below, but still no luck

index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2017 12:54 PM

What sort order are you getting?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎08-14-2017 01:00 PM

I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:

    cmd.exe
notepad++.exe
Update.exe
aruser.exe
firefox.exe
runonce.exe
Box Edit.exe
Box Local Com Service.exe
CCleaner64.exe
DellSystemDetect.exe
IAStorIconLaunch.exe
ImageTray.exe
ONENOTEM.EXE
OUTLOOK.EXE
OneDrive.exe
RDCMan.exe
SnippingTool.exe
WINWORD.EXE
chrome.exe
explorer.exe
lync.exe
netsession_win.exe
vmtoolsd.exe
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top