Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

issue with sort command

krish318
New Member
‎06-10-2018 10:51 PM

Hi,

index="testdb" sourcetype="audt" | table Command, Duration | sort Duration | search Duration>=60. This search command is not working until i put the desc near "sort Duration"

So i have changed it with following command. then it is working fine
index="testdb" sourcetype="audt" | table Command, Duration | search Duration>=60| sort Duration

The objective here is to get the results for execution time taken (Duration) for the SQL commands (command) to execute.

My question is why the "sort Duration" is not working while "sort Duration desc" is working when i place it in the same location that is in the middle of the search command. is this some kind of glitch in the APP? Kindly help me on this.

Tags (1)
0 Karma
Reply

amiftah
Communicator
‎06-16-2018 05:55 AM

Can you add | convert num(Duration) before | sort Duration and see if it solves the problem?

0 Karma
Reply

niketn
Legend
‎06-15-2018 11:44 PM

@krish318 what does the data in Duration field look like? Do they always follow specific format like HH:MM:SS etc?

Would it be possible that sort is working on Alphabetic order rather than numeric based on data in the Duration field?

One of the possibilities would be to convert Duration to seconds to ensure that they sort in numerical order. We would be able to assist further only if you can share the current data Sample for the rows which are not sorting as expected.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

krish318
New Member
‎06-15-2018 06:24 PM

Hi loglogananthan,

I tried the query you provided, but it is not working either unless i put desc near "sort" command

0 Karma
Reply

logloganathan
Motivator
‎06-11-2018 07:44 AM

Could you please try this query

index="testdb" sourcetype="audt" | sort Duration | table Command, Duration | search Duration>=60

because we have to sort and then table it

0 Karma
Reply

krish318
New Member
‎06-15-2018 10:15 PM

if i type below
index="testdb" sourcetype="audt" | sort Duration desc|table Command, Duration | search Duration>=60

i am getting results with values in descending order and that is fine. But i am trying to get the same results in accessing order now with the following command which is not working. (no resulsts)

index="testdb" sourcetype="audt" | sort Duration |table Command, Duration | search Duration>=60

0 Karma
Reply

krish318
New Member
‎06-15-2018 06:26 PM

Hi logloganathan,

Thank you for your feedback.
I tried your search query but this is not working either unless i put desc near "sort" command. please advice

0 Karma
Reply

krish318
New Member
‎06-15-2018 10:15 PM

if i type below
index="testdb" sourcetype="audt" | sort Duration desc|table Command, Duration | search Duration>=60

i am getting results with values in descending order and that is fine. But i am trying to get the same results in accessing order now with the following command which is not working. (no resulsts)

index="testdb" sourcetype="audt" | sort Duration |table Command, Duration | search Duration>=60

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...