Splunk Search
Highlighted

how to sort rows result in descending order

Path Finder

Happy New Year!!!

my splunk query --> search command | timechart sum(quantity) as total span=1week by user limit=5 | sort -total

here's the row results I have which is total:

8 4 6 1 3

I want the sort to look like this:

1 3 4 6 8

Is it possible?

Thanks

Tags (3)
0 Karma
Highlighted

Re: how to sort rows result in descending order

Splunk Employee
Splunk Employee

Hi mmouse88,

With the timechart command, your total is always order by _time on the x axis, broken down into users.

If you want to order your data by total in 1h timescale, you can use the bin command, which is used for statistical operations that the chart and the timechart commands cannot process.
Please try this:

... | bin span=1h _time | stats sum(quantity) as total by _time, user| sort -total

For details about bin, please refer to:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Bin

Hope this helps, thanks!
Hunter

0 Karma
Highlighted

Re: how to sort rows result in descending order

Path Finder

thx u Hunter for your response. I was able to achieve the same output as you adding this

| untable _time, user, total | sort -total

Not really what I was looking for. I want to keep the same format where it still display in row but change the order from descending.

_time user1 user2 user3 user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Highlighted

Re: how to sort rows result in descending order

SplunkTrust
SplunkTrust

To sort in ascending order use the plus sign.

... sort +total

0 Karma
Highlighted

Re: how to sort rows result in descending order

SplunkTrust
SplunkTrust

Try this workaround which will keep the column order but the column names will have a serial number in front of them.

search command | bucket span=1w _time | stats  sum(quantity) as total by _time user | sort 5 -total | streamstats count as sno | eval user=sno.")".user | xyseries _time user total

View solution in original post

0 Karma
Highlighted

Re: how to sort rows result in descending order

Path Finder

Much appreciated somesoni2. This is what i'm looking for.

0 Karma
Highlighted

Re: how to sort rows result in descending order

Path Finder

oh yea, one point to make. it does display in order but not really. here's what it shows if I have more than 10 say 11. Basically, it takes all the users that has a 1 in the front.

_time 1)user1 10)user2 11)user3 2)user4 (default column heading)
2017-01-05 1 3 4 6 8

0 Karma
Highlighted

Re: how to sort rows result in descending order

New Member
0 Karma