Splunk: Sort by Column Title

**Problem: **So you’ve already got your search returning the data you want.  The problem is, it’s all stuffed into a table in random order.

**Solution: **The solution’s pretty simple.  Splunk has a function called sort that sorts your data.  So, if you have a table with a column called: “Avg Response Time”, you can have Splunk sort by that column (assuming it’s filled with integers or something else with a standard hierarchy) by calling this sort function at the end of the search.

For example, you might have:

index=app sourcetype=server (hamycodes/getAwesomeStuff) earliest=-24h | eval response_time_s=response_time/1000 | convert ctime(_time) as time | stats first(time)
sparkline count avg(response_time_s) as “Avg Response Time (s)”, max(response_time_s) as “Max Response Time (s)” by host | sort “Avg Response Time (s)”

This would return a sparkline table that looks something like this:

As you can see, the table has been sorted by the “Avg Response Time (s)” column by adding ‘… | sort “Avg Response Time (s)” ‘ to the end of the search query.