I'm writing a Splunk query to retrieve error codes that feature a specific identifier token, then using the top command to figure sort them by occurrence. But now, I'm trying to put the output of the top command in lexicographic order.
I've tried reading through some of the documentation for Splunk's SPL, and I wasn't able to find a command or option that allows me to do this.
message=SplunkLogging::* | top limit=0 userQuery
For instance if you have the following counts: A - 2, B - 5, C - 1, D - 2, I would want the results to be ordered as such: B - 5, A - 2, D - 2, C - 1.
The usual way to do that is to create a temporary field that contains the values to sort. Something like this:
message=SplunkLogging::*
| top limit=0 userQuery
| rex field=userQuery "- (?<sorter>\d+)"
| sort - sorter
| fields - sorter