Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting the fields based on values in a row

nsingh49
Explorer
‎09-01-2021 06:17 PM

This is my splunk query

 

index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by
errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total

 

I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype

_time                      A....     A....     C....     D....     E....

2021-08-25       11         22      05      23      89
2021-08-26        15       45        45      13      39
2021-08-27        34       05        55       33     85
2021-08-28        56       08        65       53      09
2021-08-29         01       06        95      36       01
TOTAL                  117        86       265  158    223
I want these fields sorted by value in TOTAL row in descending order like

265   223 1 58  117  86
But i am always getting this in alphabetical order of the errortype like

A... A... B...
how can i improve this query to get the sorted result like i want?

Labels (4)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 09:32 PM

You could transpose, then sort, then transpose back.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2021 09:32 PM

You could transpose, then sort, then transpose back.

0 Karma
Reply
Solved! Jump to solution

nsingh49
Explorer
‎09-02-2021 09:13 AM

added this to the query this and worked like a charm

 


| addcoltotals labelfield=_time label="TOTAL"
| transpose header_field="_time" 0
| sort - TOTAL
| transpose header_field="column" 0
| rename column as _time 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
Top