Splunk Search

sort not working as expected

Communicator

I used the following query where I used '-' just beside "Total bytes" without space. As per my understanding, if we have multiple fields after sort and when use '-' just next to the field that field will be sorted descending and the other fields are sorted in ascending order. But I am not getting desired results. Kindly correct me if I am wrong.

index="main" host="web_application" status=200
| stats sum(bytes) as "Total bytes" by file
| sort -"Total bytes" file

file Total bytes
product.screen 123344678
cart.do 122623448
category.screen 84500260
oldlink 82699602
success.do 67725818
passwords.pdf 22207970
error.do 7495294
userlist 55380
account 8476
api 2912

Tags (1)
0 Karma

Legend

Hi @palisetty,
it's correct: in your search you sorted at first descending by "Total bytes" (the first field with -) and then all the equal values of "Total bytes" are sorted ascending by file, so it's correct the order you have.

But what's the order you want in your results?

Ciao and Happy New Year.
Giuseppe

0 Karma

New Member

can you explain what those files listed actually are for ? What value do they have ?
product.screen
cart.do
category.screen
oldlink
success.do
passwords.pdf
error.do
userlist
account
api

0 Karma

Communicator

@gcusello Hello Sir, first of all, Happy New Year to you and your family.
Here for the file, we have values like. How do they even look like they are sorted

product.screen
cart.do
category.screen
oldlink
success.do
passwords.pdf
error.do
userlist
account
api

0 Karma

Legend

Hi @palisetty,
sorry! I was sleeping whatching that vales were sorted!
Anyway, I used sort command with your data and I have a correct sort, as you can see in this example:

| makeresults | eval ppp="product.screen 123344678,cart.do 122623448,category.screen 84500260,oldlink 82699602,success.do 67725818,passwords.pdf 22207970,error.do 7495294,userlist 55380,account 8476,api 2912" 
| makemv ppp delim=","
| mvexpand ppp
| rex field=ppp "(?<file>[^ ]*)\s+(?<Total_bytes>[^ ]*)"
| table file Total_bytes
| sort -Total_bytes file

Ciao.
Giuseppe

0 Karma