Splunk Search

Sorting Duration and Getting the Top 10

splunknovice201
New Member

I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")

Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10

I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.

How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*

Tags (1)
0 Karma

splunknovice201
New Member

It worked, thank you!!

0 Karma

aholzer
Motivator

The reason it's not working for you is because you have just turned the Duration into a string, and it will now sort alphabetically

Try this:

... | search dur_hhmmss="*" | chart latest(Duration) as Duration by JOBNAME | top limit=10 Duration | eval dur_hhmmss=tostring(Duration,"duration")

Basically you are doing all the calculations you want to do on the Duration while it's a number (integer), and then performing the transform to string at the end.

Hope this helps

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...