I have a pretty straightforward query:
fields @timestamp, req.url, msg
| sort @timestamp desc
| filter msg = "request completed"
| stats count() by req.url
It presents all requests served by my app aggregated by url. However, I would also like to sort the results by the value of aggregate count() - but both | sort count desc and | sort "count()" desc don't work. How can I achieve that?
Turns out, all I had to do was to use an alias and then sort by it:
fields @timestamp, msg, req.url
| filter msg="request completed"
| stats count() as count by req.url
| sort count desc