Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sorting Duration and Getting the Top 10

splunknovice201
New Member
‎10-23-2013 11:43 AM

I have a duration field in seconds. I wanted the format to be D+hh:mm:ss, so I used this:
eval dur_hhmmss=tostring(Duration,"duration")

Then I had to sort it to get the top 10, so I used the sort then head 10:
eval dur_hhmmss=tostring(Duration,"duration")| search dur_hhmmss="*" | chart latest(dur_hhmmss) as Duration by JOBNAME | sort Duration desc | head 10

I was expecting to see 1+18:36:16 (1+ is 1 DAY), at the top of the list but it's not getting displayed in the top 10 result set. If I remove head 10, which then would show all the result, I see 1+18:36:16 at the 19th spot, together with those 1hr results.

How do I get it to appear at the top 10 list? It looks like Splunk is seeing it as 1hr*

Tags (1)
0 Karma
Reply

splunknovice201
New Member
‎10-23-2013 12:53 PM

It worked, thank you!!

0 Karma
Reply

aholzer
Motivator
‎10-23-2013 12:05 PM

The reason it's not working for you is because you have just turned the Duration into a string, and it will now sort alphabetically

Try this:

... | search dur_hhmmss="*" | chart latest(Duration) as Duration by JOBNAME | top limit=10 Duration | eval dur_hhmmss=tostring(Duration,"duration")

Basically you are doing all the calculations you want to do on the Duration while it's a number (integer), and then performing the transform to string at the end.

Hope this helps

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...