Splunk Search
Highlighted

How can I sort a field alphabetically and then by total?

Motivator

I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes field is not sorting alphabetically.

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total

Any idea as to what I'm missing or not doing correctly?
Thx

0 Karma
Highlighted

Re: How can I sort a field alphabetically and then by total?

Motivator

Modified search to as below, but still no luck

index=sysmon | stats count by process,ParentImage | sort +str(process),-count | stats dc(process) as Total, list(process) as Processes by ParentImage | sort +str(Processes), -total
0 Karma
Highlighted

Re: How can I sort a field alphabetically and then by total?

SplunkTrust
SplunkTrust

What sort order are you getting?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How can I sort a field alphabetically and then by total?

Motivator

I get the correct sort order based on Total, but the Processes field is all over the place. Here's from the first listing:

    cmd.exe
notepad++.exe
Update.exe
aruser.exe
firefox.exe
runonce.exe
Box Edit.exe
Box Local Com Service.exe
CCleaner64.exe
DellSystemDetect.exe
IAStorIconLaunch.exe
ImageTray.exe
ONENOTEM.EXE
OUTLOOK.EXE
OneDrive.exe
RDCMan.exe
SnippingTool.exe
WINWORD.EXE
chrome.exe
explorer.exe
lync.exe
netsession_win.exe
vmtoolsd.exe 
0 Karma
Highlighted

Re: How can I sort a field alphabetically and then by total?

SplunkTrust
SplunkTrust

The Processes field in the end is a multivalued field hence doesn't get sorted using sort command. Give this a try

index=sysmon | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please note that Processes are sorted lexicographically (upper case are sorted first then lower case)

View solution in original post

Highlighted

Re: How can I sort a field alphabetically and then by total?

Motivator

Thx as that worked (as well as the explanation on sorting lexicographically). With that knowledge, I modified my search as below which allowed for sorting alphabetically on the Processes field.

index=sysmon | eval process=lower(process) | stats count by process,ParentImage | sort -count | stats dc(process) as Total, list(process) as Processes by ParentImage | eval Processes=mvsort(Processes) | sort -total

Please copy your reply into the answer field so I can mark it as such, and thx again for the help!

Highlighted

Re: How can I sort a field alphabetically and then by total?

SplunkTrust
SplunkTrust

Here you go.

0 Karma
Highlighted

Re: How can I sort a field alphabetically and then by total?

Motivator

Thx again!

0 Karma