Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to sort listed data?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to sort listed data?
happy035
Explorer
07-23-2014
12:29 AM
I extracted some data from my set with this "stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason "
The I got follow result set.
failure_reason dst [N of Target]
not a http reply line 107.23..199 27
108.168..6 5
110.75.***.240 9
I'd like to sort dst field using [N of Target]. Could you tell me how can I do that please?
Then one more question, I want to watch dstes over count such as over 100 count. How can I complete that?
Many Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
happy035
Explorer
07-23-2014
01:26 AM
Hi Strive. It's correct. I want to extract destination list if count is greater than 100. But before it, I'd like to descending sort with N of Target.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strive
Influencer
07-23-2014
01:04 AM
Basically you need to sort dst based on Count in ascending order? Additionally you want to see only those dst(s) which have count greater than 100. Is that right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPape
Contributor
07-23-2014
12:58 AM
stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | sort 100 - "N of Target"
Should show you the top 100 results sorted by N of Target
can you give an example for your second question? I'm not sure if I understand it correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPape
Contributor
07-23-2014
01:38 AM
Than try this:
stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | where "N of Target" >= 100 | sort 1000 - "N of Target"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
happy035
Explorer
07-23-2014
01:29 AM
Thanks for comment PPape,
When I executed my script, I got a unsorted set in "N of target". I want descended sorting data with "N of Target" field. 100 means if count is greater than 100, I will include data set.
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
