I was surprised by this result: In a field starting with a value that can be interpreted as an integer, groupby treats it lexically, but sort treats it numerically. How does sort determine the intention? Is there a syntax to force lexical sort?
To illustrate, consider the following:
| makeresults
| eval i = mvrange(-3, 4)
| mvexpand i
| eval i = printf("%+d", i) . "x"
| stats count by i
i | count |
+0x | 1 |
+1x | 1 |
+2x | 1 |
+3x | 1 |
-1x | 1 |
-2x | 1 |
-3x | 1 |
i | count |
-3x | 1 |
-2x | 1 |
-1x | 1 |
+0x | 1 |
+1x | 1 |
+2x | 1 |
+3x | 1 |
In my use case, numeric sort is desired. (That was how I "discovered" this.) Just curious about mechanism.
To see how sort determines how to sort the results, see https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Usage . You can override the default by specifying a Sort Field Option. See https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Sort_field_options
Since the manual entry for stats is silent on the subject, I presume it uses lexicographical order.
To see how sort determines how to sort the results, see https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Usage . You can override the default by specifying a Sort Field Option. See https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Sort_field_options
Since the manual entry for stats is silent on the subject, I presume it uses lexicographical order.
Thanks for the pointer! In short, to force lexicographical order, | sort str(i). (I had used sort ip() but didn't know str() was also a directive.)