Re: Sorting Duration and Getting the Top 10

splunknovice201 · ‎10-23-2013

I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")

Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10

I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.

How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*

splunknovice201 · ‎10-23-2013

It worked, thank you!!

aholzer · ‎10-23-2013

The reason it's not working for you is because you have just turned the Duration into a string, and it will now sort alphabetically

Try this:

... | search dur_hhmmss="*" | chart latest(Duration) as Duration by JOBNAME | top limit=10 Duration | eval dur_hhmmss=tostring(Duration,"duration")

Basically you are doing all the calculations you want to do on the Duration while it's a number (integer), and then performing the transform to string at the end.

Hope this helps

Sorting Duration and Getting the Top 10

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation