Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sorting based on value?

tinhuty
Engager
‎04-26-2011 07:28 PM

one of my log file has this key-value: pageLoadTime=xxx, where xxx is number of milliseconds.

how do I write the search to sort by xxx, so the biggest pageLoadTime is on the top? I tried "|top pageLoadTime" but that sort by number of occurence of xxx.

thanks.

Tags (3)
0 Karma
Reply

herbie
Path Finder
‎04-27-2011 04:25 PM

Yes, there is a couple of ways you can do this. Note that your timestamp gets put into a field called _time.

If you want to use average figures over a timerange, you can use the timechart function. Eg:

search command | timechart avg(pageLoadSeconds) as AvgPageLoadTime

If for some reason you want to graph the raw values of pageLoadSeconds, you can just create a table with the values you want, eg:

search command | table _time, pageLoadSeconds

Note, the graphs in Splunk will only plot up to 1000 events, so if you use the table option you won't be able to do it over a lot of data. It's recommended to use timechart.

Either of these can be used to populate a Splunk graph.

Cheers,
Herbie.

0 Karma
Reply

herbie
Path Finder
‎04-26-2011 10:01 PM

On the end of your search, add the sort function. Eg:

... | sort -pageLoadTime

Cheers.

Reply

tinhuty
Engager
‎04-27-2011 08:03 AM

Thanks very much herbie, that works, now the4 eventdata are sorted by pageLoadTime. My log data also has timestamp, the simplified sample log entry is like:

[04/26/2011 14:03:27,832][DEBUG]:page=Order.aspx, pageLoadSeconds=0.1093687

Is there command to make it a chart, with pageLoadTime as Y-axis and timestamp as X-axis? what will be very helpful to see exactly when those slow pageload happened.

I just started using couple days ago that there are lots of commands I need to learn.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...