Splunk Search

How to write search to get the numbers in order for field?


Hello Team, 

I am running below query to get the stats but I am looking to get the Store numbers in serial order, can you help me with the query ? 

index=ABC env="XYZ" StoreNumber="*" | sort by StoreNumber | stats count by StoreNumber, country, Application

Store Number country count
1 US 22
100 US 7
100 US 9
100 US 2
1000 US 13
1000 US 10
1002 US 9
1002 US 32
1018 US 22
1018 US 1
104 US 3
104 US 6
1055 US 9
1055 US 28
1081 US 39
1081 US 38
1086 US 1
1086 US 6
1086 US 1
109 US 1
109 US 2
1094 US 3
1094 US 9
11 US 3
Labels (3)
Tags (3)
0 Karma


You can see from the display that StoreNumber is left justified, which means that Splunk thinks it's a string, so you should convert it to a number to sort it.

Note: Do NOT sort before the stats command - stats will already sort it by Store Number in its output. Sorting is very inefficient, so sort as late as possible in the pipeline.

| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber

Do you want your store numbers to be left justified? If so you can sort and then left justify again with

| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber
| eval sn=printf("%-10d", Store_Number)
0 Karma


Also tried below ones but no luck 

sort by -latest(StoreNumber)

sort by ascending(StoreNumber)

0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...