Splunk Sort CommandIn this section, we are going to learn about the Sort command in the Splunk, its syntax, examples, requires argument, optional argument and also about some field options in Splunk sort command. DescriptionThe sort command sort by the defined fields all information. Tests that are absent from a given field are viewed as having the field's smallest or largest value, whether the order is descending or ascending, respectively. If a number is the first argument to the sort command, then at most it returns several numbers, in order. The default limit of 10000 is used when no number is specified. When we state number 0, all tests are returned. Syntax: The syntax required for this is in bold. Required arguments<sort-by-clause> Syntax: ( - | + ) <sort-field>, ( - | + ) <sort-field> ... Description: List of fields to sort by and the order to sort. Using a minus sign (-)to descend, and a plus sign (+) to climb. Separate field names with commas when defining more than one region. Optional arguments<count> Syntax: <int> Description: Specify the amount of results we want to return from the results sorted. In Splunk, the default limit of 10000 is used if no count is stated. If 0 is specified, then return all results. Depending on how many results are returned, using sort 0 may have a negative impact output. Default: 10000 desc Syntax: d | desc Description: Turns the test order off. If several fields are specified, in the order in which the fields are defined, reverse the order of the values in those fields. For example, if three fields are defined, the desc argument reverses the value order in the first field. Now , in the second field, reverses the order of the corresponding values for each collection of duplicate values in the first field. In the third field, reverse the order of the corresponding values for each collection of duplicate values in the second place. Sort field options<sort-field> Option Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>) Description: Options which we may define <sort-field>. <field> Option Syntax: <string> Description: The field name to start from. auto Option Syntax: auto(<field>) Description: Determine how field values are sorted automatically. Ip Option Syntax: ip(<field>) Description: Interpret field values as addresses of IP. num Option Syntax: num(<field>) Description: View field values as numerals. Str Option Syntax: str(<field>) Description: Interpret field values as strings, and alphabetically order the values. UsageBy default, sort tries to determine automatically what it is sorting. If numeric values are assumed by the sector, the collating series is numbered. If the IP address values are assumed in the field, the assembly sequence is for IPs. Then the sequence of the collating is in lexicographic order. Several concrete examples are:
The sort order is calculated in the default automatic mode for a sector, between each pair of values that are compared at any time. This implies the order could be lexicographic for certain pairs of values, while the order could be numeric for other pairs. For example, if we sort 10.1 > 9.1, but 10.1.a < 9.1.a, in descending order. Lexicographical orderLexicographic order sorts objects based on the values used in computer memory encoding the objects. It is almost or always UTF-8 encoding in Splunk applications, which is a superset of ASCII.
Custom sort orderWe can specify a custom order of sort that overrides the lexicographic order. Basic examples1. Using the Sort options to determine the sort of field Filter results in ascending order by the "ip" value, and then filter in descending order by the "url" value. 2. Specify the number of results to be sorted Sort first 100 results in a descending order of the field "size" and then in ascending order by the value "source." The example sets out the data type in each of the fields. The field "scale" contains numbers, and it contains strings in the field "source." 3. Specifying commands of descending and ascending sort Sort results in ascending order by the field " time" and then in descending order by the attribute "host." 4. Changing the time-format for sorting events Adjust the format of the time of the incident, and sort the results by the time field generated with the eval command in descending order. 5. Return the latest happening Back to the current event: Next TopicSplunk stats, strcat, and table command |