Splunk Search

Sort search results based on other log values

DFresh4130
Path Finder

So I'm currently searching my jboss access logs for all 500 errors with " 500 ". I get all the results, but then I'd like to sort by how many there are for each URI returned. An example would be how do I get the search to break out the results by how many 500s there are for /ABC, how many for /123 and how many for /test. Thanks

Tags (1)
0 Karma
1 Solution

MarioM
Motivator

you can use :

<your search> | top uri

<your search> | stats count by uri

you can add to this the following to sort the uri by order :

| sort - uri

View solution in original post

MarioM
Motivator

you can use :

<your search> | top uri

<your search> | stats count by uri

you can add to this the following to sort the uri by order :

| sort - uri

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!