Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Renaming or ordering values used in a stats by query

jrs42
Path Finder
‎05-17-2024 12:06 PM

Here's a part of my query, ignoring where the data is coming from:

 

| eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min", dur > 240, "More than 4min")
| eval sort_field=case(bucket="Less than 30sec", 1, bucket="30sec - 60sec", 2, bucket="1min - 2min", 3, bucket="2min - 4min", 4, bucket="More than 4min", 5)
| sort sort_field
| stats count as "Number of Queries" by bucket

 

The problem I have is that the results are ordered alphabetically by the name of each bucket.  I'd prefer to have the order always be from quickest to slowest: <30s, 30-60s, 1-2m, 2-4m, >4m

What I get:

 

1min - 2min |  <value>
2min - 4min |  <value>
30sec - 60sec |  <value>
Less than 30sec |  <value>
More than 4min |  <value>

 

What I want:

 

Less than 30sec |  <value>
30sec - 60sec |  <value>
1min - 2min |  <value>
2min - 4min |  <value>
More than 4min |  <value>

 

I've tried a number of different approaches, none seeming to do anything.  Is this possible?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2024 12:15 PM 
| eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min", dur > 240, "More than 4min")
| eval sort_field=case(bucket="Less than 30sec", 1, bucket="30sec - 60sec", 2, bucket="1min - 2min", 3, bucket="2min - 4min", 4, bucket="More than 4min", 5)
| stats count as "Number of Queries" by bucket sort_field
| sort sort_field
| fields - sort_field

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2024 12:15 PM 
| eval bucket=case(dur < 30, "Less than 30sec", dur <= 60, "30sec - 60sec", dur <= 120, "1min - 2min", dur <= 240, "2min - 4min", dur > 240, "More than 4min")
| eval sort_field=case(bucket="Less than 30sec", 1, bucket="30sec - 60sec", 2, bucket="1min - 2min", 3, bucket="2min - 4min", 4, bucket="More than 4min", 5)
| stats count as "Number of Queries" by bucket sort_field
| sort sort_field
| fields - sort_field
Reply
Solved! Jump to solution

jrs42
Path Finder
‎05-17-2024 02:57 PM

Extra credit:

Is there a way to force all 5 buckets to always appear in the results, even if they have a 0 count?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2024 04:15 PM

Try something like this

| eval bucket=case(dur < 30, 0, dur <= 60, 1, dur <= 120, 2, dur <= 240, 3, dur > 240, 4)
| stats count as "Number of Queries" by bucket
| append
  [| makeresults
  | fields - _time
  | eval bucket=mvrange(0,5)
  | mvexpand bucket
  | eval "Number of Queries"=0]
| stats sum('Number of Queries') as "Number of Queries" by bucket
| eval bucket=mvindex(split("Less than 30sec,30sec - 60sec,1min - 2min,2min - 4min,More than 4min", ","), bucket)
0 Karma
Reply
Solved! Jump to solution

jrs42
Path Finder
‎05-17-2024 02:53 PM

Thank you!  I was so close lol.

I hacked it by prepending "  " and " " to a couple of bucket names to force them to sort ahead, but that made me cringe.  This is far better.  Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...