Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort a table based on two columns in order of priority?

DavidHourani
Super Champion
‎06-17-2015 05:05 AM

Hello dear Splunkers,

I have a table showing the amount of downloaded data per website by user on my network.

Is it possible to sort this table based on two fields? I need the "sort" to put priority on the total downloaded amount per user and then the total amount downloaded per website.

This means there will be two sorts: the first sort will fix up all the users that downloaded the most in a way to get the user that downloaded the most on top of the list (regardless of the webpages the accessed). The second sort will set the most bandwidth consuming webpage per user in order. That makes the table show the top users and top websites per top users (hope that's not too complicated).

Here are the fields being used:
User : The user
webpage : The accessed webpage
BWu : Bandwidth per User
BWs : Bandwidth per webpage

Regards,
David

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-22-2019 10:52 PM

You can stack sort arguments like this:

...
| sort 0 -BWu -BWs

But what I suspect you really desire is something like this:

...
| sort 0 -count
| stats list(BWs) AS BWs list(webpage) AS webpage sum(BWs) AS BWu BY User
| sort 0 -BWu

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-22-2019 10:52 PM

You can stack sort arguments like this:

...
| sort 0 -BWu -BWs

But what I suspect you really desire is something like this:

...
| sort 0 -count
| stats list(BWs) AS BWs list(webpage) AS webpage sum(BWs) AS BWu BY User
| sort 0 -BWu
Reply
Solved! Jump to solution

jrouse025
Path Finder
‎04-04-2019 08:03 AM

|sort -BWu -BWs +Username

Reply
Solved! Jump to solution

chimell
Motivator
‎06-17-2015 06:25 AM

Hi DavidHourani
try this search code

.....|stats count by User webpage |top limit=0 User webpage |appendcols[search .....|stats count by BWu BWs  |top limit=0  BWu BWs]
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎06-17-2015 05:21 AM

hi DavidHourani,

you search corresponding |stats count by field1, field2, field3, field4 |sort -count
0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-17-2015 05:29 AM

Thanks for your reply Gys, I need to have double sorting, one based on BWu and one on BWs, in your case I only have sorting on count right ?

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎06-17-2015 05:40 AM

try like this: you search corresponding |stats count by BWu , BWs |sort -count

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-17-2015 05:42 AM

Thanks for the tip, it doesn't work though. The sort should be based on BWu and BWs not on the count. because the count is equal to 1 for all the values 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top