Re: Sorting of Columns in Saved Search

ppurokit · ‎09-10-2013

Hello everyone,

I have a table like the below example:

|| Protocol || Count ||

|| TCP || 500 ||

|| UDP || 200 ||

|| Total || 700 ||

I have made use of the addcoltotals to get the total count of the count column.

So now when I click on the default column sorting available , it's sorting taking into account the "Total" row also and hence the sorting is not perfect.

Is there a way in which i can make the "Total" row fixed and sort only the rows which are fetched from the search query?

rturk · ‎09-10-2013

Hi Ppurokit,

Once you apply addcoltotals Splunk treats the newly added information as a new row along with the rest of them.. as far as I know there's no way around this.

If you are looking to put this in a static dashboard, or in a emailed report however, applying the sort before adding the column totals will ensure that your table is sorted as required with the totals down the bottom.

<base search> | sort -count | addcoltotals

NOTE: Selecting to sort the columns by clicking the headers will break this behaviour, and you will need to refresh the browser window (not just re-submit the search).

Sorting of Columns in Saved Search

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Sorting of Columns in Saved Search

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...