https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/607265#M211127 <P>Not to necro this thread, but...</P><P>This page still turns up in Google so let's update it with an answer!</P><P>&nbsp;</P><P>The following seems to fix the suggested code&nbsp; (at least here in the year 2022...)</P><PRE>yoursearchhere | chart count by field1, field2 | addtotals <STRONG>fieldname=totalCount | </STRONG>sort 0 totalCount | fields - totalCount</PRE><P>Alternatively,</P><P>you should be able to accept the default field created by addtotals (i.e. it is named "<STRONG>Total")</STRONG></P><P>Which simplifies the code to...</P><PRE>yoursearchhere | chart count by field1, field2 | addtotals | sort 0 Total | fields - Total</PRE><P>For more information, refer to the <STRONG>addtotals </STRONG>documentation<STRONG>:</STRONG></P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addtotals" target="_blank" rel="noopener">addtotals - Splunk Documentation</A></P><P>refer to the <STRONG>sort </STRONG>documentation also</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort" target="_blank" rel="noopener">sort - Splunk Documentation</A></P><P>the <STRONG>sort 0 </STRONG>above is discussed there</P><P>&nbsp;</P><PRE>&lt;count&gt;<BR /><STRONG>Syntax</STRONG>:&nbsp;&lt;int&gt; | limit=&lt;int&gt;<BR /><STRONG>Description</STRONG>:&nbsp;Specify the number of results to return from the sorted results. <BR />If no count is specified, the default limit of 10000 is used. <BR />If&nbsp;0&nbsp;is specified, all results are returned. <FONT color="#FF0000"> *** <STRONG>NOTE</STRONG> ***</FONT><BR />You can specify the count using an integer or precede the count with a label,<BR />for example&nbsp;limit=10.<BR /><BR /><STRONG><FONT color="#FF0000">*** NOTE ***</FONT></STRONG><BR />Using&nbsp;sort 0&nbsp;might have a negative impact performance, <BR />depending on how many results are returned.</PRE><P>&nbsp;</P><P>If you want for example, the top 10 "results"&nbsp; in descending order then you do the following ...</P><P>Note the minus character ("-") in front the Total field,&nbsp; this <EM>reverses the sort order iirc.</EM></P><P><EM>Below I used the "limit=10" rather than "10" just because it makes the code more readable</EM></P><PRE>yoursearchhere | chart count by field1, field2 | addtotals | sort <STRONG>limit=10 -</STRONG>Total | fields - Total</PRE><P>PS.</P><P>You should be able to adapt the other example from&nbsp;<STRONG>lguinn2 in the same way&nbsp;</STRONG></P><DIV class=""><DIV class=""><P><EM>"This works well as long as field1 does not contain numeric values. If it&nbsp;does, then you can do this..."</EM></P><PRE>yoursearchhere | chart count by field1, field2 | addtotals <STRONG>fieldname=totalCount</STRONG> | eval totalCount = totalCount - field1 | sort 0 totalCount | fields - totalCount</PRE><P>&nbsp;</P></DIV></DIV> Wed, 27 Jul 2022 21:04:01 GMT Machine247 2022-07-27T21:04:01Z https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108261#M28151 <P>Not sure why this is so perplexing, but or the life of me I can't get this to sort how I want. </P> <P>The following chart syntax:<BR /> |chart count(C) as Count by B,C</P> <P>where B is a Month field, C represents 5 separate values and Count is the count of those values as they occur by Month.</P> <P>The resulting multi-series chart displays with the correct data, but regardless of how I try and sort, the Month is sorted correctly, but within each month the columns representing the 5 counts are always sorted by the alpha value of "C" and not the count.</P> <P>Basically I wanted to do this <BR /> | chart count(C) as Count by B,C |sort 0 B,Count</P> <P>But that doesn't work.</P> Fri, 26 Jul 2013 21:30:34 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108261#M28151 Cuyose 2013-07-26T21:30:34Z https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108262#M28152 <P>The reason that this doesn't work is: the columns in the resulting chart are named by the VALUES of C. So if the events had values of C such as "red", "yellow", "green", "blue", "orange" - then the columns would be named red, yellow, green, blue, and orange. So you would have to do something like this:</P> <PRE><CODE>| chart count(C) as Count by B,C |sort 0 B,red </CODE></PRE> <P>And that probably doesn't make any sense. Perhaps what you should do is to sort by the <EM>overall</EM> count. Here is how to do that:</P> <PRE><CODE>yoursearchhere | chart count by field1, field2 | addtotals totalCount | sort 0 totalCount | fields - totalCount </CODE></PRE> <P>This works well as long as field1 does not contain numeric values. If it <EM>does</EM>, then you can do this:</P> <PRE><CODE>yoursearchhere | chart count by field1, field2 | addtotals totalCount | eval totalCount = totalCount - field1 | sort 0 totalCount | fields - totalCount </CODE></PRE> Fri, 26 Jul 2013 22:02:02 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108262#M28152 lguinn2 2013-07-26T22:02:02Z https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108263#M28153 <P>Im still unable to get this to do anything different than the original chart. Perhaps I am misunderstanding your instructions. In the form above would it be:<BR /> | chart count(C) as Count by B,C<BR /> | addtotals totalCount<BR /> | eval totalCount = totalCount - B<BR /> | sort 0 totalCount<BR /> | fields - totalCount</P> <P>I tried this and it doesn't do anything different, C is still the 2nd sort, not the count of C</P> Fri, 26 Jul 2013 22:13:46 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108263#M28153 Cuyose 2013-07-26T22:13:46Z https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108264#M28154 <P>Thanks! I used this and it did EXACTLY what I wanted .... save one minor detail. The Total field at the far right is blank. I was expecting it to sum all of the values left to right on that row.</P> <P>example<BR /> field1, field2_subtotal, field2_ sub total, Total</P> <P>Any ideas what I need to do to fix the "Totals" column?</P> <P>Thanks</P> Tue, 29 Sep 2020 08:41:12 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/108264#M28154 kennyja 2020-09-29T08:41:12Z https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/607265#M211127 <P>Not to necro this thread, but...</P><P>This page still turns up in Google so let's update it with an answer!</P><P>&nbsp;</P><P>The following seems to fix the suggested code&nbsp; (at least here in the year 2022...)</P><PRE>yoursearchhere | chart count by field1, field2 | addtotals <STRONG>fieldname=totalCount | </STRONG>sort 0 totalCount | fields - totalCount</PRE><P>Alternatively,</P><P>you should be able to accept the default field created by addtotals (i.e. it is named "<STRONG>Total")</STRONG></P><P>Which simplifies the code to...</P><PRE>yoursearchhere | chart count by field1, field2 | addtotals | sort 0 Total | fields - Total</PRE><P>For more information, refer to the <STRONG>addtotals </STRONG>documentation<STRONG>:</STRONG></P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addtotals" target="_blank" rel="noopener">addtotals - Splunk Documentation</A></P><P>refer to the <STRONG>sort </STRONG>documentation also</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort" target="_blank" rel="noopener">sort - Splunk Documentation</A></P><P>the <STRONG>sort 0 </STRONG>above is discussed there</P><P>&nbsp;</P><PRE>&lt;count&gt;<BR /><STRONG>Syntax</STRONG>:&nbsp;&lt;int&gt; | limit=&lt;int&gt;<BR /><STRONG>Description</STRONG>:&nbsp;Specify the number of results to return from the sorted results. <BR />If no count is specified, the default limit of 10000 is used. <BR />If&nbsp;0&nbsp;is specified, all results are returned. <FONT color="#FF0000"> *** <STRONG>NOTE</STRONG> ***</FONT><BR />You can specify the count using an integer or precede the count with a label,<BR />for example&nbsp;limit=10.<BR /><BR /><STRONG><FONT color="#FF0000">*** NOTE ***</FONT></STRONG><BR />Using&nbsp;sort 0&nbsp;might have a negative impact performance, <BR />depending on how many results are returned.</PRE><P>&nbsp;</P><P>If you want for example, the top 10 "results"&nbsp; in descending order then you do the following ...</P><P>Note the minus character ("-") in front the Total field,&nbsp; this <EM>reverses the sort order iirc.</EM></P><P><EM>Below I used the "limit=10" rather than "10" just because it makes the code more readable</EM></P><PRE>yoursearchhere | chart count by field1, field2 | addtotals | sort <STRONG>limit=10 -</STRONG>Total | fields - Total</PRE><P>PS.</P><P>You should be able to adapt the other example from&nbsp;<STRONG>lguinn2 in the same way&nbsp;</STRONG></P><DIV class=""><DIV class=""><P><EM>"This works well as long as field1 does not contain numeric values. If it&nbsp;does, then you can do this..."</EM></P><PRE>yoursearchhere | chart count by field1, field2 | addtotals <STRONG>fieldname=totalCount</STRONG> | eval totalCount = totalCount - field1 | sort 0 totalCount | fields - totalCount</PRE><P>&nbsp;</P></DIV></DIV> Wed, 27 Jul 2022 21:04:01 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-multi-series-column-chart-by-count-field/m-p/607265#M211127 Machine247 2022-07-27T21:04:01Z