Solved: Re: How to sort group by results?

ramki1459 · ‎06-07-2018

For example:

raw data is

100,x,info=1,error=1,warn=1
101,x,info=1,error=1,warn=1
101,y,info=1,error=2,warn=1
101,y,info=1,error=3,warn=1

| query
| chart count by x y 
| addtotals col=true labelfield=x label="Totals"

Sample results

event, info, error, warn  Total
 x         2        2         2       6
 y         2        5         2       9
Totals 4        7         4       15

In the above query I want to sort the data based on group by query results in desc order. when i try | sort 0 -Totals, Totals column appearing first row in table.

| query
| chart count by x y 
| addtotals col=true labelfield=x label="Totals"
| sort 0 -Total

Result:

event, info, error, warn  Total
Totals 4        7         4       15
 y         2        5         2       9
 x         2        2         2       6

But I want to display results as

event, info, error, warn  Total
 y         2        5         2       9
 x         2        2         2       6
Totals 4        7         4       15

Any inputs here really helps me. Thanks

ramki1459 · ‎06-07-2018

i am able resolve my problem modifying query this
`| query
| chart count by x y
| sort 0 info desc
| addtotals col=true labelfield=x label="Totals"

View solution in original post

ramki1459 · ‎06-07-2018

i am able resolve my problem modifying query this
`| query
| chart count by x y
| sort 0 info desc
| addtotals col=true labelfield=x label="Totals"

niketn · ‎06-07-2018

@ramki1459, I have converted your comment to answer. Please accept the same to mark this question as answered!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to sort group by results?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...