Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sort ip's within stats values function

tve784
Path Finder
‎05-04-2015 08:03 AM

I am trying to figure out a way to sort the source ip's that are in my stats values results. Just adding a simple sort on that field on the end does nothing. What im working with is listed below. Basically this just lists out what destination ip's are talking with what source ip's on specific ports. Any help would be greatly appreciated.

... | stats values(src_ip) by dest_port, protocol, dest_ip | sort +dest_port, dest_ip

Tags (1)
Reply

stephanefotso
Motivator
‎05-04-2015 08:26 AM

Hello! How do you know that it is not working? By default your data are sorting in incresing order. Means from the smallest value to the heighest. By doing |sort +dest_port does not change any thing to the results. Test this and let me know how does it works ..............|sort -dest_ip

SGF
0 Karma
Reply

tve784
Path Finder
‎05-04-2015 08:31 AM

so looking at the values(src_ip) field the ip's are not in order. it looks like its not reading them as ip's. the order its showing is like:

10.123.1.2
10.4.5.6
10.66.6.7
etc...

the other fields are sorted correctly just not this one field

0 Karma
Reply

stephanefotso
Motivator
‎05-04-2015 09:54 AM

it is really surprising! Looking your dest_ip, here is the order you should have.

10.4.5.6
10.66.6.7
10.123.1.2
Please Try this and let me know!

   ..... |stats values(src_ip) by dest_port, protocol, dest_ip |eval desip=tostring(ip,"hex")| sort +dest_port, destip
SGF
0 Karma
Reply

tve784
Path Finder
‎05-04-2015 11:55 AM

its not the dest_ip its the values(src_ip) that is not sorting. the dest_ip is sorting correctly. The values(src_ip) can be 1 or many results and this is where they are not sorting if it has more then 1 IP.

0 Karma
Reply

stephanefotso
Motivator
‎05-04-2015 12:45 PM

Please let me know. Where did you sort values(src_ip) ? Here you go:

 ..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, srcip

hope this may help!

SGF
0 Karma
Reply

tve784
Path Finder
‎05-04-2015 12:59 PM

I tried that already it does not work. here are all the combos that i have tried to sort the values(sr_ip) field....

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, srcip

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, ip(srcip)

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip | sort +ip(srcip)

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +ip(srcip) | sort +dest_port, destip

According to the docs for the values() function "The order of the values is lexicographical.” so if there is anyway to change that order to make it see them as IP

0 Karma
Reply

stephanefotso
Motivator
‎05-05-2015 03:34 PM

That is true. The order of the values is lexicographical when using the values function. In fact your results are sorting, but not as you want. To sole the problem, instead of use the values function, i will advise you to use the list function as follows:

 ..... |sort (src_ip)|stats list(src_ip) as sr_cip by dest_port, protocol, dest_ip | sort +dest_port, dest_ip

I think it will be ok now!

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...