Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sort not working as expected

palisetty
Communicator
‎12-31-2019 06:17 AM

I used the following query where I used '-' just beside "Total bytes" without space. As per my understanding, if we have multiple fields after sort and when use '-' just next to the field that field will be sorted descending and the other fields are sorted in ascending order. But I am not getting desired results. Kindly correct me if I am wrong.

index="main" host="web_application" status=200
| stats sum(bytes) as "Total bytes" by file
| sort -"Total bytes" file

file Total bytes
product.screen 123344678
cart.do 122623448
category.screen 84500260
oldlink 82699602
success.do 67725818
passwords.pdf 22207970
error.do 7495294
userlist 55380
account 8476
api 2912

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-31-2019 06:29 AM

Hi @palisetty,
it's correct: in your search you sorted at first descending by "Total bytes" (the first field with -) and then all the equal values of "Total bytes" are sorted ascending by file, so it's correct the order you have.

But what's the order you want in your results?

Ciao and Happy New Year.
Giuseppe

0 Karma
Reply

jcorcoran508
Path Finder
‎05-14-2020 02:16 PM

can you explain what those files listed actually are for ? What value do they have ?
product.screen
cart.do
category.screen
oldlink
success.do
passwords.pdf
error.do
userlist
account
api

0 Karma
Reply

palisetty
Communicator
‎12-31-2019 08:42 PM

@gcusello Hello Sir, first of all, Happy New Year to you and your family.
Here for the file, we have values like. How do they even look like they are sorted

product.screen
cart.do
category.screen
oldlink
success.do
passwords.pdf
error.do
userlist
account
api

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2020 12:09 AM

Hi @palisetty,
sorry! I was sleeping whatching that vales were sorted!
Anyway, I used sort command with your data and I have a correct sort, as you can see in this example:

| makeresults | eval ppp="product.screen 123344678,cart.do 122623448,category.screen 84500260,oldlink 82699602,success.do 67725818,passwords.pdf 22207970,error.do 7495294,userlist 55380,account 8476,api 2912" 
| makemv ppp delim=","
| mvexpand ppp
| rex field=ppp "(?<file>[^ ]*)\s+(?<Total_bytes>[^ ]*)"
| table file Total_bytes
| sort -Total_bytes file

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...