Re: sorting based on value?

tinhuty · ‎04-26-2011

one of my log file has this key-value: pageLoadTime=xxx, where xxx is number of milliseconds.

how do I write the search to sort by xxx, so the biggest pageLoadTime is on the top? I tried "|top pageLoadTime" but that sort by number of occurence of xxx.

thanks.

herbie · ‎04-27-2011

Yes, there is a couple of ways you can do this. Note that your timestamp gets put into a field called _time.

If you want to use average figures over a timerange, you can use the timechart function. Eg:

search command | timechart avg(pageLoadSeconds) as AvgPageLoadTime

If for some reason you want to graph the raw values of pageLoadSeconds, you can just create a table with the values you want, eg:

search command | table _time, pageLoadSeconds

Note, the graphs in Splunk will only plot up to 1000 events, so if you use the table option you won't be able to do it over a lot of data. It's recommended to use timechart.

Either of these can be used to populate a Splunk graph.

Cheers,
Herbie.

herbie · ‎04-26-2011

On the end of your search, add the sort function. Eg:

... | sort -pageLoadTime

Cheers.

tinhuty · ‎04-27-2011

Thanks very much herbie, that works, now the4 eventdata are sorted by pageLoadTime. My log data also has timestamp, the simplified sample log entry is like:

[04/26/2011 14:03:27,832][DEBUG]:page=Order.aspx, pageLoadSeconds=0.1093687

Is there command to make it a chart, with pageLoadTime as Y-axis and timestamp as X-axis? what will be very helpful to see exactly when those slow pageload happened.

I just started using couple days ago that there are lots of commands I need to learn.

sorting based on value?

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud