Solved: Sorting a list

himynamesdave · ‎01-08-2014

Hi Splunkers!

My data looks like this - it may be familiar from a recent high-profile data leak 🙂

phone number, username, location
21209864XX, user001, london

My hypothesis is to test wether a phonenumber has created more than one account, which in theory should be impossible.

I want to see a table of phonenumbers and the usernames linked to them, sorted by the phonenumbers that are linked to the most usernames (hopefully that makes sense!)

I have run a search to group all usernames that share the same phonenumber.

index="sandbox" | stats list(phonenumber) by username

I want to sort the resulting table by the lists which contain the most usernames. The search below returns the number of events a unique phonenumber can be found, hence the amount of usernames it is connected too.

index="sandbox" | stats count(phonenumber) by phonenumber | sort -count(phonenumber)

What I'm struggling to do is link to two together, to sort the listed table. Can anyone help?

Thanks!

somesoni2 · ‎01-08-2014

Try following:

index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count

View solution in original post

somesoni2 · ‎01-08-2014

Try following:

index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count

Sorting a list

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation