Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how to sort rows result in descending order

mmouse88
Path Finder
‎01-05-2017 06:02 PM

Happy New Year!!!

my splunk query --> search command | timechart sum(quantity) as total span=1week by user limit=5 | sort -total

here's the row results I have which is total:

8 4 6 1 3

I want the sort to look like this:

1 3 4 6 8

Is it possible?

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 08:22 PM

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total

View solution in original post

Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 08:47 PM

Simple Splunk Command
https://bsuresh1.wordpress.com/2016/03/31/splunk-useful-commands/

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-05-2017 08:22 PM

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-06-2017 03:10 PM

Much appreciated somesoni2. This is what i'm looking for.

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-06-2017 04:47 PM

oh yea, one point to make. it does display in order but not really. here's what it shows if I have more than 10 say 11. Basically, it takes all the users that has a 1 in the front.

_time 1)user1 10)user2 11)user3 2)user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎01-05-2017 06:57 PM

To sort in ascending order use the plus sign.

... sort +total

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 06:37 PM

Hi mmouse88,

With the timechart command, your total is always order by _time on the x axis, broken down into users.

If you want to order your data by total in 1h timescale, you can use the bin command, which is used for statistical operations that the chart and the timechart commands cannot process.
Please try this: 

... | bin span=1h _time | stats sum(quantity) as total by _time, user| sort -total

For details about bin, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin

Hope this helps, thanks!
Hunter

0 Karma
Reply
Solved! Jump to solution

mmouse88
Path Finder
‎01-05-2017 08:03 PM

thx u Hunter for your response. I was able to achieve the same output as you adding this

| untable _time, user, total | sort -total

Not really what I was looking for. I want to keep the same format where it still display in row but change the order from descending.

_time user1 user2 user3 user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...