Sorting Duration and Getting the Top 10

splunknovice201 · ‎10-23-2013

I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")

Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10

I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.

How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*

splunknovice201 · ‎10-23-2013

It worked, thank you!!

aholzer · ‎10-23-2013

The reason it's not working for you is because you have just turned the Duration into a string, and it will now sort alphabetically

Try this:

... | search dur_hhmmss="*" | chart latest(Duration) as Duration by JOBNAME | top limit=10 Duration | eval dur_hhmmss=tostring(Duration,"duration")

Basically you are doing all the calculations you want to do on the Duration while it's a number (integer), and then performing the transform to string at the end.

Hope this helps

Sorting Duration and Getting the Top 10

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices

Are you a member of the Splunk Community?

Sorting Duration and Getting the Top 10

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices