Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sorting based on value?

tinhuty
Engager
‎04-26-2011 07:28 PM

one of my log file has this key-value: pageLoadTime=xxx, where xxx is number of milliseconds.

how do I write the search to sort by xxx, so the biggest pageLoadTime is on the top? I tried "|top pageLoadTime" but that sort by number of occurence of xxx.

thanks.

Tags (3)
0 Karma
Reply

herbie
Path Finder
‎04-27-2011 04:25 PM

Yes, there is a couple of ways you can do this. Note that your timestamp gets put into a field called _time.

If you want to use average figures over a timerange, you can use the timechart function. Eg:

search command | timechart avg(pageLoadSeconds) as AvgPageLoadTime

If for some reason you want to graph the raw values of pageLoadSeconds, you can just create a table with the values you want, eg:

search command | table _time, pageLoadSeconds

Note, the graphs in Splunk will only plot up to 1000 events, so if you use the table option you won't be able to do it over a lot of data. It's recommended to use timechart.

Either of these can be used to populate a Splunk graph.

Cheers,
Herbie.

0 Karma
Reply

herbie
Path Finder
‎04-26-2011 10:01 PM

On the end of your search, add the sort function. Eg:

... | sort -pageLoadTime

Cheers.

Reply

tinhuty
Engager
‎04-27-2011 08:03 AM

Thanks very much herbie, that works, now the4 eventdata are sorted by pageLoadTime. My log data also has timestamp, the simplified sample log entry is like:

[04/26/2011 14:03:27,832][DEBUG]:page=Order.aspx, pageLoadSeconds=0.1093687

Is there command to make it a chart, with pageLoadTime as Y-axis and timestamp as X-axis? what will be very helpful to see exactly when those slow pageload happened.

I just started using couple days ago that there are lots of commands I need to learn.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...