I'm not sure if it's possible to sort by a different column. However...there is a way to display the "size" field in a pretty format, while retaining the underlying numerical data for sorting. This could work as long as you're not married to using the "size_pretty" from your JSON. Here's an example search (with some additional data I added to test the sorting): | makeresults format=json data="[{\"item\":\"disk1\", \"size\":2147483648, \"size_pretty\":\"2 GB\"}, {\"item\":\"disk2\", \"size\":1099511627776, \"size_pretty\":\"1 TB\"}, {\"item\":\"disk3\", \"size\":660, \"size_pretty\":\"660 B\"}, {\"item\":\"disk4\", \"size\":20147483648, \"size_pretty\":\"18 GB\"}, {\"item\":\"disk5\", \"size\":1047548, \"size_pretty\":\"1,023 KB\"}]"
| fieldformat size=printf("%4u",round(size/pow(1024,if(size=0,0,floor(min(log(size,1024),10)))),2)).case(size=0 OR log(size,1024)<1," B", log(size,1024)<2," KB", log(size,1024)<3," MB", log(size,1024)<4," GB", log(size,1024)<5," TB", log(size,1024)<6," PB", log(size,1024)<7," EB", 1=1, " EB")
| table item size size_pretty This outputs a table like the following. It sorts the size column as expected, while retaining the pretty formatting: You can remove the "size_pretty" field from the | table command if you no longer wish to display it. The color scale is up to you, but I think it might still be do-able since the underlying numeric data is still there. This answer was inspired by the following post: Smart conversion of large numbers to human-readable format (Splunk Answers)
... View more