Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Sorting the fields based on values in a row

nsingh49
Explorer
‎09-01-2021 06:17 PM

This is my splunk query

 

index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by
errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total

 

I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype

_time                      A....     A....     C....     D....     E....

2021-08-25       11         22      05      23      89
2021-08-26        15       45        45      13      39
2021-08-27        34       05        55       33     85
2021-08-28        56       08        65       53      09
2021-08-29         01       06        95      36       01
TOTAL                  117        86       265  158    223
I want these fields sorted by value in TOTAL row in descending order like

265   223 1 58  117  86
But i am always getting this in alphabetical order of the errortype like

A... A... B...
how can i improve this query to get the sorted result like i want?

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 09:32 PM

You could transpose, then sort, then transpose back.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 09:32 PM

You could transpose, then sort, then transpose back.

0 Karma
Reply
Solved! Jump to solution

nsingh49
Explorer
‎09-02-2021 09:13 AM

added this to the query this and worked like a charm

 


| addcoltotals labelfield=_time label="TOTAL"
| transpose header_field="_time" 0
| sort - TOTAL
| transpose header_field="column" 0
| rename column as _time 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...