Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sort listed data?

happy035
Explorer
‎07-23-2014 12:29 AM

I extracted some data from my set with this "stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason "
The I got follow result set.

failure_reason dst [N of Target]
not a http reply line 107.23..199 27
108.168..6 5
110.75.***.240 9

I'd like to sort dst field using [N of Target]. Could you tell me how can I do that please?
Then one more question, I want to watch dstes over count such as over 100 count. How can I complete that?

Many Thanks

Tags (2)
0 Karma
Reply

happy035
Explorer
‎07-23-2014 01:26 AM

Hi Strive. It's correct. I want to extract destination list if count is greater than 100. But before it, I'd like to descending sort with N of Target.

0 Karma
Reply

strive
Influencer
‎07-23-2014 01:04 AM

Basically you need to sort dst based on Count in ascending order? Additionally you want to see only those dst(s) which have count greater than 100. Is that right?

0 Karma
Reply

PPape
Contributor
‎07-23-2014 12:58 AM

stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | sort 100 - "N of Target"

Should show you the top 100 results sorted by N of Target

can you give an example for your second question? I'm not sure if I understand it correct.

0 Karma
Reply

PPape
Contributor
‎07-23-2014 01:38 AM

Than try this:

stats count by failure_reason, dst | stats list(dst) as Target list(count) as "N of Target" by failure_reason | where "N of Target" >= 100 | sort 1000 - "N of Target"

0 Karma
Reply

happy035
Explorer
‎07-23-2014 01:29 AM

Thanks for comment PPape,
When I executed my script, I got a unsorted set in "N of target". I want descended sorting data with "N of Target" field. 100 means if count is greater than 100, I will include data set.

0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...