How to write search to get the numbers in order fo...

pkumar9610 · ‎09-20-2022

Hello Team,

I am running below query to get the stats but I am looking to get the Store numbers in serial order, can you help me with the query ?

index=ABC env="XYZ" StoreNumber="*" | sort by StoreNumber | stats count by StoreNumber, country, Application

Store Number	country	count
1	US	22
100	US	7
100	US	9
100	US	2
1000	US	13
1000	US	10
1002	US	9
1002	US	32
1018	US	22
1018	US	1
104	US	3
104	US	6
1055	US	9
1055	US	28
1081	US	39
1081	US	38
1086	US	1
1086	US	6
1086	US	1
109	US	1
109	US	2
1094	US	3
1094	US	9
11	US	3

bowesmana · ‎09-20-2022

You can see from the display that StoreNumber is left justified, which means that Splunk thinks it's a string, so you should convert it to a number to sort it.

Note: Do NOT sort before the stats command - stats will already sort it by Store Number in its output. Sorting is very inefficient, so sort as late as possible in the pipeline.

search...
| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber

Do you want your store numbers to be left justified? If so you can sort and then left justify again with

search
| stats...
| eval StoreNumber=tonumber(StoreNumber)
| sort StoreNumber
| eval sn=printf("%-10d", Store_Number)

pkumar9610 · ‎09-20-2022

Also tried below ones but no luck

sort by -latest(StoreNumber)

sort by ascending(StoreNumber)

How to write search to get the numbers in order for field?

other

stats

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?