Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to sort rows result in descending order

mmouse88
Path Finder
‎01-05-2017 06:02 PM

Happy New Year!!!

my splunk query --> search command | timechart sum(quantity) as total span=1week by user limit=5 | sort -total

here's the row results I have which is total:

8 4 6 1 3

I want the sort to look like this:

1 3 4 6 8

Is it possible?

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 08:22 PM

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total

View solution in original post

Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 08:47 PM

Simple Splunk Command
https://bsuresh1.wordpress.com/2016/03/31/splunk-useful-commands/

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 08:22 PM

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-06-2017 03:10 PM

Much appreciated somesoni2. This is what i'm looking for.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-06-2017 04:47 PM

oh yea, one point to make. it does display in order but not really. here's what it shows if I have more than 10 say 11. Basically, it takes all the users that has a 1 in the front.

_time 1)user1 10)user2 11)user3 2)user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎01-05-2017 06:57 PM

To sort in ascending order use the plus sign.

... sort +total

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 06:37 PM

Hi mmouse88,

With the timechart command, your total is always order by _time on the x axis, broken down into users.

If you want to order your data by total in 1h timescale, you can use the bin command, which is used for statistical operations that the chart and the timechart commands cannot process.
Please try this: 

... | bin span=1h _time | stats sum(quantity) as total by _time, user| sort -total

For details about bin, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin

Hope this helps, thanks!
Hunter

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-05-2017 08:03 PM

thx u Hunter for your response. I was able to achieve the same output as you adding this

| untable _time, user, total | sort -total

Not really what I was looking for. I want to keep the same format where it still display in row but change the order from descending.

_time user1 user2 user3 user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top