I tried that already it does not work. here are all the combos that i have tried to sort the values(sr_ip) field....
..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, srcip
..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, ip(srcip)
..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip | sort +ip(srcip)
..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +ip(srcip) | sort +dest_port, destip
According to the docs for the values() function "The order of the values is lexicographical.” so if there is anyway to change that order to make it see them as IP
... View more