Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sorting bucketed data

strive
Influencer
‎04-24-2013 11:58 PM

Hi,

We have a requirement to show data in bucketed format.

Avg Data Delivered    Count
< 50 MB               3450
< 100 MB              200
< 250 MB              350
< 500 MB              1000
< 1 GB                120
> 1 GB                55

The problem we are facing is: Since the data gets sorted as string, 100 MB appears first and then 50 MB.. and so on... How to render the results as mentioned in example above. Basically i would like to disable default sorting.

One option i thought is to use python scripts. Format the data in script and then render it on screen. I would like to know if there is an option in splunk query itself.

Thanks

Strive

Tags (2)
Reply

Ayn
Legend
‎04-25-2013 12:15 AM

Well you need SOME way of sorting so just "disabling" the default sorting wouldn't be enough. What I think you should do is to convert the "Avg Data Delivered" values to something where all quantities share a common unit, like KB for instance. You could do this using convert's memk() function (see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert ). This will let you sort your data correctly. I suspect you still want to SHOW the data just like now though - in which case you could use fieldformat to set that up.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...