Splunk Sort Command

In this section, we are going to learn about the Sort command in the Splunk, its syntax, examples, requires argument, optional argument and also about some field options in Splunk sort command.

Description

The sort command sort by the defined fields all information. Tests that are absent from a given field are viewed as having the field's smallest or largest value, whether the order is descending or ascending, respectively.

If a number is the first argument to the sort command, then at most it returns several numbers, in order. The default limit of 10000 is used when no number is specified. When we state number 0, all tests are returned.

Syntax:

The syntax required for this is in bold.

Required arguments

<sort-by-clause>

Syntax: ( - | + ) <sort-field>, ( - | + ) <sort-field> ...

Description: List of fields to sort by and the order to sort. Using a minus sign (-)to descend, and a plus sign (+) to climb. Separate field names with commas when defining more than one region.

Optional arguments

<count>

Syntax: <int>

Description: Specify the amount of results we want to return from the results sorted. In Splunk, the default limit of 10000 is used if no count is stated. If 0 is specified, then return all results.

Depending on how many results are returned, using sort 0 may have a negative impact output.

Default: 10000

desc

Syntax: d | desc

Description: Turns the test order off. If several fields are specified, in the order in which the fields are defined, reverse the order of the values in those fields. For example, if three fields are defined, the desc argument reverses the value order in the first field.

Now , in the second field, reverses the order of the corresponding values for each collection of duplicate values in the first field. In the third field, reverse the order of the corresponding values for each collection of duplicate values in the second place.

Sort field options

<sort-field> Option

Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)

Description: Options which we may define <sort-field>.

<field> Option

Syntax: <string>

Description: The field name to start from.

auto Option

Syntax: auto(<field>)

Description: Determine how field values are sorted automatically.

Ip Option

Syntax: ip(<field>)

Description: Interpret field values as addresses of IP.

num Option

Syntax: num(<field>)

Description: View field values as numerals.

Str Option

Syntax: str(<field>)

Description: Interpret field values as strings, and alphabetically order the values.

Usage

By default, sort tries to determine automatically what it is sorting. If numeric values are assumed by the sector, the collating series is numbered. If the IP address values are assumed in the field, the assembly sequence is for IPs. Then the sequence of the collating is in lexicographic order. Several concrete examples are:

  • Lexicographic sorting of the alphabetic lists.
  • Lexicographic sorting of the punctuation lines.
  • Numeric data is sorted as intended for numbers and the sort order is set to ascend or descend.
  • Alphanumeric strings are sorted according to the first character's data type. If the string begins with a number, the string is sorted numerically on the basis of the number itself. Otherwise, the strings are lexicographically sorted.
  • Strings containing alphanumeric and punctuation characters shall be sorted in the same manner as alphanumeric strings.

The sort order is calculated in the default automatic mode for a sector, between each pair of values that are compared at any time. This implies the order could be lexicographic for certain pairs of values, while the order could be numeric for other pairs.

For example, if we sort 10.1 > 9.1, but 10.1.a < 9.1.a, in descending order.

Lexicographical order

Lexicographic order sorts objects based on the values used in computer memory encoding the objects. It is almost or always UTF-8 encoding in Splunk applications, which is a superset of ASCII.

  • Numbers are sorted according to the first digit and before correspondence. The numbers 10, 9, 70, 100 are lexicographically sorted as 10, 100, 70, 9, for example.
  • Uppercase letters are sorted prior to letters in the lowercase.
  • Lexicographic order are not regular symbols. Certain symbols are sorted before numerical values. Other symbols are sorted by letters before or after.

Custom sort order

We can specify a custom order of sort that overrides the lexicographic order.

Basic examples

1. Using the Sort options to determine the sort of field

Filter results in ascending order by the "ip" value, and then filter in descending order by the "url" value.

2. Specify the number of results to be sorted

Sort first 100 results in a descending order of the field "size" and then in ascending order by the value "source." The example sets out the data type in each of the fields. The field "scale" contains numbers, and it contains strings in the field "source."

3. Specifying commands of descending and ascending sort

Sort results in ascending order by the field " time" and then in descending order by the attribute "host."

4. Changing the time-format for sorting events

Adjust the format of the time of the incident, and sort the results by the time field generated with the eval command in descending order.

5. Return the latest happening

Back to the current event:






Latest Courses