Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting Charts

richnavis
Contributor
‎11-26-2012 06:47 PM

I have the following search that returns a chart of response times for web pages by GET and POST.

index=iis_PRODUCT | regex cs_method="(GET|POST)" | chart avg(time_taken) as response_time count(host) as hits by cs_uri_stem, cs_method | sort response_time

However, the sort command does not seem to work. Perhaps it's because the field names have the method appended to it? something like this.... hits:GET hits:POST. Not sure how to solve this.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-27-2012 12:31 AM

You are indeed trying to sort by a column that does not exist at this time. I see two options:

First, you could pick one of the columns to sort by. Let's assume one of the response_time fields is called "response_time: GET":

search... | chart... | sort "response_time: GET"

Alternatively, if you cannot decide which response time field is the relevant one to search, you could summarize them into a helper field that then is used for sorting:

search... | chart... | addtotals fieldname=temp_sort response_time* | sort temp_sort

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-27-2012 12:31 AM

You are indeed trying to sort by a column that does not exist at this time. I see two options:

First, you could pick one of the columns to sort by. Let's assume one of the response_time fields is called "response_time: GET":

search... | chart... | sort "response_time: GET"

Alternatively, if you cannot decide which response time field is the relevant one to search, you could summarize them into a helper field that then is used for sorting:

search... | chart... | addtotals fieldname=temp_sort response_time* | sort temp_sort
Reply
Solved! Jump to solution

richnavis
Contributor
‎11-27-2012 08:31 AM

Very nice.. I think I will use the addtotals option. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...