Hi all,
I have the following search
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400 | stats dc(Bundle) as count values(Bundle) as Bundle values(_time) as time list(time2) as Date values(time_diff) as time_diff values(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
Which returns a table that looks something like this:
Machine_Serial count Bundle time Date time_diff tim_diff(H)
____________________________________________________________________________________________
75123 3 1.1 1458049413 2016/03/16 6702139.000000 1134.5710532407
1.3 1458053068 2013/04/2 98026939.000000 1135.5710532407
1.4 1464618084 2013/04/23 98113339.000000 77.57105324074
--------------------------------------------------------------------------------------------
75334 1 1.5 1464788901 2012/10/17 114356539.000000 1323.57105324074
I've been trying to sort based on the values of time_diff(H) using the sort command, however, it doesn't seem to work on the values in the same under the same group, so they'll be mismatched internally. I've attempted various sort commands, as well placing it in different locations, but I haven't been able to crack it. Is there any I can achieve this?
Thank you in advance.
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
Give this a try
"result generating search"| eval z=mvzip(Bundle, Load_Time) | mvexpand z | streamstats window=2 current=f range(Load_Time) as time_diff by Machine_Serial| eval time_diff=if(isnull(time_diff), now()-Load_Time, time_diff)| eval timed=time_diff/86400
| stats count by Machine_Serial Bundle _time time2 time_diff times
| sort 0 Machine_Serial -num(timed)
| stats dc(Bundle) as count list(Bundle) as Bundle list(_time) as time list(time2) as Date list(time_diff) as time_diff list(timed) as tim_diff(H) by Machine_Serial | sort 0 -num(tim_diff(H))
one note I changed the "times" to" timed" at the end of the 4th line
Worked flawlessly, thank you.
Try sorting before the stats command?
I've tried that, and the results are the same, still I appreciate the help.