How do I sort this stats count?

bayman · ‎08-10-2017

This is my search below. It shows Country and count. How do I sort the count field for largest to smallest?

index="cisco_asa" src_ip="*" dest_port="*" action="blocked" | fields src_ip | iplocation src_ip | stats count by Country

kmorris_splunk · ‎08-10-2017

Add the following to the end of your search:

your search....| sort -count

woodcock · ‎08-11-2017

Because there are fewer than 1000 Countries, this will work just fine but the default for sort is equivalent to sort 1000 so EVERYONE should ALWAYS be in the habit of using sort 0 (unlimited) instead, as in sort 0 - count or your results will be silently truncated to the first 1000.

DavidHourani · ‎06-21-2019

Just an update, default is now 10000 now 1000

dstaulcu · ‎08-11-2017

This is one of the most common gotchas I see among our users. Sure wish splunk would add some sort of tool tip or notification when such limits kick in.

santiagoaloi · ‎08-11-2017

that's a good one to keep in mind!

How do I sort this stats count?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation

How do I sort this stats count?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...