Splunk Search

How can I sort a field alphabetically and then by total?

Motivator

I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically.

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total

Any idea as to what I'm missing or not doing correctly?
Thx

0 Karma
1 Solution

SplunkTrust
SplunkTrust

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

View solution in original post

SplunkTrust
SplunkTrust

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

View solution in original post

Motivator

Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field.

index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please copy your reply into the answer field so I can mark it as such, and thx again for the help!

SplunkTrust
SplunkTrust

Here you go.

0 Karma

Motivator

Thx again!

0 Karma

Motivator

Modified search to as below, but still no luck

index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
0 Karma

SplunkTrust
SplunkTrust

What sort order are you getting?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:

    cmd.exe
notepad++.exe
Update.exe
aruser.exe
firefox.exe
runonce.exe
Box Edit.exe
Box Local Com Service.exe
CCleaner64.exe
DellSystemDetect.exe
IAStorIconLaunch.exe
ImageTray.exe
ONENOTEM.EXE
OUTLOOK.EXE
OneDrive.exe
RDCMan.exe
SnippingTool.exe
WINWORD.EXE
chrome.exe
explorer.exe
lync.exe
netsession_win.exe
vmtoolsd.exe 
0 Karma