Splunk Search

How to write search to get the numbers in order for field?


Hello Team, 

I am running below query to get the stats but I am looking to get the Store numbers in serial order, can you help me with the query ? 

index=ABC env="XYZ" StoreNumber="*" | sort by StoreNumber | stats count by StoreNumber, country, Application

Store Number country count
1 US 22
100 US 7
100 US 9
100 US 2
1000 US 13
1000 US 10
1002 US 9
1002 US 32
1018 US 22
1018 US 1
104 US 3
104 US 6
1055 US 9
1055 US 28
1081 US 39
1081 US 38
1086 US 1
1086 US 6
1086 US 1
109 US 1
109 US 2
1094 US 3
1094 US 9
11 US 3
Labels (3)
Tags (3)
0 Karma


You can see from the display that StoreNumber is left justified, which means that Splunk thinks it's a string, so you should convert it to a number to sort it.

Note: Do NOT sort before the stats command - stats will already sort it by Store Number in its output. Sorting is very inefficient, so sort as late as possible in the pipeline.

| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber

Do you want your store numbers to be left justified? If so you can sort and then left justify again with

| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber
| eval sn=printf("%-10d", Store_Number)
0 Karma


Also tried below ones but no luck 

sort by -latest(StoreNumber)

sort by ascending(StoreNumber)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...