sort descending avg time field in results

MOHITJOSHI · ‎04-07-2020

i have a field "avg_time" which i want to display in descending order. tried sort -avg_time but didn't worked

eval n=round(diff,2)|chart limit=200 eval(round(avg(n),2)) as avg_time count over Transaction_GroupName by v usenull=false. v is version of app

the results table has fields Transaction_GroupName, count:v, avg_time:v

gcusello · ‎04-07-2020

Hi @MOHITJOSHI,
I haven't your data so I cannot test your search, but you cannot put an eval in a chart command in that way and I think that you don't need, try something like this:

index=your_index
| chart limit=200 avg(diff) as avg_time over Transaction_GroupName BY v
| eval  avg_time=round(avg_time,2)

The problem is that avg_time isn't a column of the table because as column you have v so you cannot sort by avg_time and that you cannot have two fields in chart command.

To have avg_time as a column you have to use the command stats, having in two different columns Transaction_GroupName and v, something like this:

index=your_index
| stats avg(diff) as avg_time count BY Transaction_GroupName v
| eval  avg_time=round(avg_time,2)
| sort 200 -avg_time

I don't know if it could be acceptable for you.

Ciao.
Giuseppe

sort descending avg time field in results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

sort descending avg time field in results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk