Splunk Search

sorting based on value?

tinhuty
Engager

one of my log file has this key-value: pageLoadTime=xxx, where xxx is number of milliseconds.

how do I write the search to sort by xxx, so the biggest pageLoadTime is on the top? I tried "|top pageLoadTime" but that sort by number of occurence of xxx.

thanks.

Tags (3)
0 Karma

herbie
Path Finder

Yes, there is a couple of ways you can do this. Note that your timestamp gets put into a field called _time.

If you want to use average figures over a timerange, you can use the timechart function. Eg:

search command | timechart avg(pageLoadSeconds) as AvgPageLoadTime

If for some reason you want to graph the raw values of pageLoadSeconds, you can just create a table with the values you want, eg:

search command | table _time, pageLoadSeconds

Note, the graphs in Splunk will only plot up to 1000 events, so if you use the table option you won't be able to do it over a lot of data. It's recommended to use timechart.

Either of these can be used to populate a Splunk graph.

Cheers,
Herbie.

0 Karma

herbie
Path Finder

On the end of your search, add the sort function. Eg:

... | sort -pageLoadTime

Cheers.

tinhuty
Engager

Thanks very much herbie, that works, now the4 eventdata are sorted by pageLoadTime. My log data also has timestamp, the simplified sample log entry is like:

[04/26/2011 14:03:27,832][DEBUG]:page=Order.aspx, pageLoadSeconds=0.1093687

Is there command to make it a chart, with pageLoadTime as Y-axis and timestamp as X-axis? what will be very helpful to see exactly when those slow pageload happened.

I just started using couple days ago that there are lots of commands I need to learn.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...