Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Magical sort order

yuanliu
SplunkTrust
SplunkTrust
‎12-23-2021 01:05 PM

I was surprised by this result: In a field starting with a value that can be interpreted as an integer, groupby treats it lexically, but sort treats it numerically.  How does sort determine the intention?  Is there a syntax to force lexical sort?

To illustrate, consider the following:

 

| makeresults
| eval i = mvrange(-3, 4)
| mvexpand i
| eval i = printf("%+d", i) . "x"
| stats count by i

 

 

 

  • As is (groupby only)
    icount
    +0x1
    +1x1
    +2x1
    +3x1
    -1x1
    -2x1
    -3x1
  • Add |sort i
    icount
    -3x1
    -2x1
    -1x1
    +0x1
    +1x1
    +2x1
    +3x1

In my use case, numeric sort is desired. (That was how I "discovered" this.)  Just curious about mechanism.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 05:05 PM

To see how sort determines how to sort the results, see https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Usage . You can override the default by specifying a Sort Field Option.  See https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Sort_field_options

Since the manual entry for stats is silent on the subject, I presume it uses lexicographical order.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 05:05 PM

To see how sort determines how to sort the results, see https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Usage . You can override the default by specifying a Sort Field Option.  See https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Sort#Sort_field_options

Since the manual entry for stats is silent on the subject, I presume it uses lexicographical order.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-24-2021 12:17 PM

Thanks for the pointer!  In short, to force lexicographical order, | sort str(i). (I had used sort ip() but didn't know str() was also a directive.)

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
li.common.scroll-to.top