Re: Is there a way to get addcoltotals to show up ...

jbezanson · ‎04-19-2017

I have a report that reports the count of events per another field. I can get a total of all of these events but it shows up at the bottom.
Can I get that total from "addcoltotals" to show up at the very top instead?

jbillings · ‎07-09-2019

Add the |sort - count after the |addcoltotals. It will sort your count by greatest to least.

{your search}
| addcoltotals
| sort - count

ElijahLynn · ‎02-21-2018

One way to do this is to click the column name and it will bring it to the top, it will also sort the chart by highest to lowest. e.g. you couldn't have the column total at the top and have the lowest value below it.

niketn · ‎04-20-2017

@jbezanson...If addcoltotals is showing results in the end just add the following in the end | reverse. PS: If you are not sowing more than 10000 results then you can use sort as well. However, I would expect reverse to perform better.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

puneethgowda · ‎04-19-2017

use sort option

lguinn2 · ‎04-19-2017

You could put a | sort fieldA fieldB etc at the end of your SPL. You will just need to figure out which fields to use for the sort to make the order come out the way you want...

Is there a way to get addcoltotals to show up at the top of a report, rather than at the end?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?