Splunk Search

Why can't I get my search results to sort properly?

Motivator

Hi,

I have this search

index=main | rex "(?i)\".*? /(?P<URL_HEADER>\w+/\w+)"| rex "(?i) UCT\-(?P<URL_MICRO_SECONDS>\d+)"|rex "(GET)(?<statusget>)"|rex "(POST)(?<statuspost>)"|eval seconds=URL_MICRO_SECONDS/1000000|eventstats avg(seconds) as avgseconds by URL_HEADER|eventstats count(URL_HEADER) as urlcount by URL_HEADER|eval sortc=avgseconds*urlcount|chart values(sortc) sparkline(avg(seconds)) as Trend avg(seconds) as "Average Seconds" max(seconds) as "Maximum Seconds" min(seconds) as "Minimum Seconds" last(seconds) as Current perc90(seconds) as "90th Percentile" count(URL_HEADER) as "URL Execution Count" sparkline(count(statusget)) as "Trend - GET" count(statusget) as "# of GETs" sparkline(count(statuspost)) as "Trend - POST" count(statuspost) as "# of POSTs" by URL_HEADER|sort sortc|rename URL_HEADER as "URL Header - Click for Details"

And for whatever reason I cannot get it to sort on the sortc value. I get results that look like this.

alt text

Tags (2)
0 Karma
1 Solution

Legend

You don't have a field called sortc after the chart command. You only have a field called values(sortc) You should either change to sort values(sortc) OR in your chart command alias the fieldname values(sortc) as sortc.

Just on a different note, you should be able to combine your two eventstats in to one. eventstats avg(seconds) as avgseconds count(URL_HEADER) as urlcount by URL_HEADER

View solution in original post

0 Karma

Legend

You don't have a field called sortc after the chart command. You only have a field called values(sortc) You should either change to sort values(sortc) OR in your chart command alias the fieldname values(sortc) as sortc.

Just on a different note, you should be able to combine your two eventstats in to one. eventstats avg(seconds) as avgseconds count(URL_HEADER) as urlcount by URL_HEADER

View solution in original post

0 Karma

Motivator

Hi Sundareshr!

Ahhhh I wasn't aware that by using values(sortc) it actually changes the field name from sortc to "values(sortc)" interesting.

Thanks for the update on the eventstats!

0 Karma