Solved: "Sort 0 desc" vs "sort 0 -" for data over 10,000

LearningGuy · ‎02-21-2024

Hello,

I don't know how to simulate this using makeresults, but I have data over 10,000 (let say 50,000)
If I sort descending using "| sort - 0 Score", it will only give me 10,000 rows, but I used "| sort 0 Score desc", it will give me 50,000 rows.
What is the different between using sort - and sort desc?
Why doesn't sort - only limit to 10,000? Thank you so much

index=test
| sort - 0 Score ==> only 10,000 rows I need to use "| sort Score desc"

Name	Score
Name1	5
Name2	0
Name3	7
Name4	0
….
Name50000	9

yuanliu · ‎02-21-2024

See sort. | sort 0 Score desc is semantically identical to | sort limit=0 Score desc. But | sort - 0 Score is equivalent to | sort 0, Score desc. That is, you are sorting two fields, 0 and Score, in descending order and without using limit.

Sort is memory hungry. Setting 10,000 by default is a sensible choice.

View solution in original post

yuanliu · ‎02-21-2024

See sort. | sort 0 Score desc is semantically identical to | sort limit=0 Score desc. But | sort - 0 Score is equivalent to | sort 0, Score desc. That is, you are sorting two fields, 0 and Score, in descending order and without using limit.

Sort is memory hungry. Setting 10,000 by default is a sensible choice.

"Sort 0 desc" vs "sort 0 -" for data over 10,000

other

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!