https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565563#M197058 <P><SPAN>This is my splunk query</SPAN></P><P>&nbsp;</P><P><SPAN>index=xxxxx "searchTerm")|rex "someterm(?&lt;errortype&gt;)" | timechart count by<BR />errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total</SPAN></P><P>&nbsp;</P><P>I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype</P><P>_time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; A....&nbsp; &nbsp; &nbsp;A....&nbsp; &nbsp; &nbsp;C....&nbsp; &nbsp; &nbsp;D....&nbsp; &nbsp; &nbsp;E....</P><P>2021-08-25&nbsp; &nbsp; &nbsp; &nbsp;11&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;22&nbsp; &nbsp; &nbsp; 05&nbsp; &nbsp; &nbsp; 23&nbsp; &nbsp; &nbsp; 89<BR />2021-08-26&nbsp; &nbsp; &nbsp; &nbsp; 15&nbsp; &nbsp; &nbsp; &nbsp;45&nbsp; &nbsp; &nbsp; &nbsp; 45&nbsp; &nbsp; &nbsp; 13&nbsp; &nbsp; &nbsp; 39<BR />2021-08-27&nbsp; &nbsp; &nbsp; &nbsp; 34&nbsp; &nbsp; &nbsp; &nbsp;05&nbsp; &nbsp; &nbsp; &nbsp; 55&nbsp; &nbsp; &nbsp; &nbsp;33&nbsp; &nbsp; &nbsp;85<BR />2021-08-28&nbsp; &nbsp; &nbsp; &nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp;08&nbsp; &nbsp; &nbsp; &nbsp; 65&nbsp; &nbsp; &nbsp; &nbsp;53&nbsp; &nbsp; &nbsp; 09<BR />2021-08-29&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;01&nbsp; &nbsp; &nbsp; &nbsp;06&nbsp; &nbsp; &nbsp; &nbsp; 95&nbsp; &nbsp; &nbsp; 36&nbsp; &nbsp; &nbsp; &nbsp;01<BR />TOTAL&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 117&nbsp; &nbsp; &nbsp; &nbsp; 86&nbsp; &nbsp; &nbsp; &nbsp;265&nbsp; 158&nbsp; &nbsp; 223<BR />I want these fields sorted by value in TOTAL row in descending order like</P><P>265&nbsp; &nbsp;223 1 58&nbsp; 117&nbsp; 86<BR />But i am always getting this in alphabetical order of the errortype like</P><P>A... A... B...<BR />how can i improve this query to get the sorted result like i want?</P> Thu, 02 Sep 2021 01:17:20 GMT nsingh49 2021-09-02T01:17:20Z https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565563#M197058 <P><SPAN>This is my splunk query</SPAN></P><P>&nbsp;</P><P><SPAN>index=xxxxx "searchTerm")|rex "someterm(?&lt;errortype&gt;)" | timechart count by<BR />errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total</SPAN></P><P>&nbsp;</P><P>I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype</P><P>_time&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; A....&nbsp; &nbsp; &nbsp;A....&nbsp; &nbsp; &nbsp;C....&nbsp; &nbsp; &nbsp;D....&nbsp; &nbsp; &nbsp;E....</P><P>2021-08-25&nbsp; &nbsp; &nbsp; &nbsp;11&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;22&nbsp; &nbsp; &nbsp; 05&nbsp; &nbsp; &nbsp; 23&nbsp; &nbsp; &nbsp; 89<BR />2021-08-26&nbsp; &nbsp; &nbsp; &nbsp; 15&nbsp; &nbsp; &nbsp; &nbsp;45&nbsp; &nbsp; &nbsp; &nbsp; 45&nbsp; &nbsp; &nbsp; 13&nbsp; &nbsp; &nbsp; 39<BR />2021-08-27&nbsp; &nbsp; &nbsp; &nbsp; 34&nbsp; &nbsp; &nbsp; &nbsp;05&nbsp; &nbsp; &nbsp; &nbsp; 55&nbsp; &nbsp; &nbsp; &nbsp;33&nbsp; &nbsp; &nbsp;85<BR />2021-08-28&nbsp; &nbsp; &nbsp; &nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp;08&nbsp; &nbsp; &nbsp; &nbsp; 65&nbsp; &nbsp; &nbsp; &nbsp;53&nbsp; &nbsp; &nbsp; 09<BR />2021-08-29&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;01&nbsp; &nbsp; &nbsp; &nbsp;06&nbsp; &nbsp; &nbsp; &nbsp; 95&nbsp; &nbsp; &nbsp; 36&nbsp; &nbsp; &nbsp; &nbsp;01<BR />TOTAL&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 117&nbsp; &nbsp; &nbsp; &nbsp; 86&nbsp; &nbsp; &nbsp; &nbsp;265&nbsp; 158&nbsp; &nbsp; 223<BR />I want these fields sorted by value in TOTAL row in descending order like</P><P>265&nbsp; &nbsp;223 1 58&nbsp; 117&nbsp; 86<BR />But i am always getting this in alphabetical order of the errortype like</P><P>A... A... B...<BR />how can i improve this query to get the sorted result like i want?</P> Thu, 02 Sep 2021 01:17:20 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565563#M197058 nsingh49 2021-09-02T01:17:20Z https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565586#M197062 <P>You could transpose, then sort, then transpose back.</P> Thu, 02 Sep 2021 04:32:06 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565586#M197062 PickleRick 2021-09-02T04:32:06Z https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565695#M197109 <P>added this to the query this and worked like a charm</P><P>&nbsp;</P><P><BR />| addcoltotals labelfield=_time label="TOTAL"<BR />| transpose header_field="_time" 0<BR />| sort - TOTAL<BR />| transpose header_field="column" 0<BR />| rename column as _time&nbsp;</P> Thu, 02 Sep 2021 16:13:14 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-the-fields-based-on-values-in-a-row/m-p/565695#M197109 nsingh49 2021-09-02T16:13:14Z