Splunk Search

Sorting issue with numeric field, descending order

pgoldweic
Communicator

I have a simple search with a sort command at the end as follows:
.... some base search | dedup id | table id, name | sort -id

and I'm being presented with the following results:

18760000000000166   2020 Summer
18760000000000168   2020 Fall
18760000000000167   2020-2021 Academic Year
18760000000000164   2020 Winter
18760000000000165   2020 Spring
18760000000000163   2019 Fall
18760000000000131   2019-2020 Academic Year
18760000000000127   2019 Spring
18760000000000129   2019-2020 Academic Year
18760000000000130   2018-2019 Academic Year

I expected the results to have been ordered by id (descending order). What am I missing?

Tags (3)
0 Karma
1 Solution

to4kawa
Ultra Champion

Solution:

| makeresults
| eval _raw="id,name
18760000000000166,2020 Summer
18760000000000168,2020 Fall
18760000000000167,2020-2021 Academic Year
18760000000000164,2020 Winter
18760000000000165,2020 Spring
18760000000000163,2019 Fall
18760000000000131,2019-2020 Academic Year
18760000000000127,2019 Spring
18760000000000129,2019-2020 Academic Year
18760000000000130,2018-2019 Academic Year"
| multikv forceheader=1
| table id name
| rex field=id "(?<Upper>\d{10})(?<Lower>\d{7})"
| sort - Upper Lower
| fields - Upper Lower

that's interesting.

sample:

| makeresults
| eval _raw="id,name
18760000000000166,2020 Summer
18760000000000168,2020 Fall
18760000000000167,2020-2021 Academic Year
18760000000000164,2020 Winter
18760000000000165,2020 Spring
18760000000000163,2019 Fall
18760000000000131,2019-2020 Academic Year
18760000000000127,2019 Spring
18760000000000129,2019-2020 Academic Year
18760000000000130,2018-2019 Academic Year"
| multikv forceheader=1
| table id name
| eval check = tonumber(id)

id is huge number. so Splunk has rounded off the number.

View solution in original post

0 Karma

to4kawa
Ultra Champion

Solution:

| makeresults
| eval _raw="id,name
18760000000000166,2020 Summer
18760000000000168,2020 Fall
18760000000000167,2020-2021 Academic Year
18760000000000164,2020 Winter
18760000000000165,2020 Spring
18760000000000163,2019 Fall
18760000000000131,2019-2020 Academic Year
18760000000000127,2019 Spring
18760000000000129,2019-2020 Academic Year
18760000000000130,2018-2019 Academic Year"
| multikv forceheader=1
| table id name
| rex field=id "(?<Upper>\d{10})(?<Lower>\d{7})"
| sort - Upper Lower
| fields - Upper Lower

that's interesting.

sample:

| makeresults
| eval _raw="id,name
18760000000000166,2020 Summer
18760000000000168,2020 Fall
18760000000000167,2020-2021 Academic Year
18760000000000164,2020 Winter
18760000000000165,2020 Spring
18760000000000163,2019 Fall
18760000000000131,2019-2020 Academic Year
18760000000000127,2019 Spring
18760000000000129,2019-2020 Academic Year
18760000000000130,2018-2019 Academic Year"
| multikv forceheader=1
| table id name
| eval check = tonumber(id)

id is huge number. so Splunk has rounded off the number.

0 Karma

pgoldweic
Communicator

Oh, I see. It didn't occur to me that Splunk could be rounding out, but it now makes sense. Thanks!

0 Karma

dsctm3
Path Finder

Try forcing splunk to treat the ID field as a number.

| sort -num(id)

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Sort

0 Karma

pgoldweic
Communicator

Thanks for your reply. I just tried your suggestion but it's not working (gives me identical results!).

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...