I used the following query where I used '-' just beside "Total bytes" without space. As per my understanding, if we have multiple fields after sort and when use '-' just next to the field that field will be sorted descending and the other fields are sorted in ascending order. But I am not getting desired results. Kindly correct me if I am wrong.
index="main" host="web_application" status=200
| stats sum(bytes) as "Total bytes" by file
| sort -"Total bytes" file
file Total bytes
it's correct: in your search you sorted at first descending by "Total bytes" (the first field with -) and then all the equal values of "Total bytes" are sorted ascending by file, so it's correct the order you have.
But what's the order you want in your results?
Ciao and Happy New Year.
can you explain what those files listed actually are for ? What value do they have ?
@gcusello Hello Sir, first of all, Happy New Year to you and your family.
Here for the file, we have values like. How do they even look like they are sorted
sorry! I was sleeping whatching that vales were sorted!
Anyway, I used sort command with your data and I have a correct sort, as you can see in this example:
| makeresults | eval ppp="product.screen 123344678,cart.do 122623448,category.screen 84500260,oldlink 82699602,success.do 67725818,passwords.pdf 22207970,error.do 7495294,userlist 55380,account 8476,api 2912" | makemv ppp delim="," | mvexpand ppp | rex field=ppp "(?<file>[^ ]*)\s+(?<Total_bytes>[^ ]*)" | table file Total_bytes | sort -Total_bytes file