Solved: Sorting the fields based on values in a row - Splunk Community

Splunk Search

This is my splunk query

index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by
errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total

I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype

_time A.... A.... C.... D.... E....

2021-08-25 11 22 05 23 89
2021-08-26 15 45 45 13 39
2021-08-27 34 05 55 33 85
2021-08-28 56 08 65 53 09
2021-08-29 01 06 95 36 01
TOTAL 117 86 265 158 223
I want these fields sorted by value in TOTAL row in descending order like

265 223 1 58 117 86
But i am always getting this in alphabetical order of the errortype like

A... A... B...
how can i improve this query to get the sorted result like i want?

1 Solution

Solution

You could transpose, then sort, then transpose back.

View solution in original post

Solution

You could transpose, then sort, then transpose back.

added this to the query this and worked like a charm

| addcoltotals labelfield=_time label="TOTAL"
| transpose header_field="_time" 0
| sort - TOTAL
| transpose header_field="column" 0
| rename column as _time

Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience, ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...