Splunk Search

sort columns that with the highest Total to the left

damucka
Builder

Hello,

I have the following search:

index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" ) 
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))" 
| timechart  useother=f limit=200 span=1h count by title
| addcoltotals labelfield=_time label="Total Sum"
| addtotals 
| sort _time desc
| table _time, Total, *
| where Total != 0
| rename Total AS "#Alerts/h"

it should build the table of the triggered alerts with the frequency per hour. Basically it works fine, but I would like to achieve one more thing:
- I would like the columns with the highest "Total sum" to be ordered from left to right. The goal is that I can see the alerts being executed the most straight away on the left side of the table.

How would I achieve this?

Kind Regards,
Kamil

0 Karma

woodcock
Esteemed Legend

Try padding with leading whitespace like this:

index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" ) 
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))" 
| timechart useother=f limit=200 span=1h count by title 

| untable _time search errors 
| eventstats sum(errors) AS TOTAL_ERRORS BY search 
| sort 0 TOTAL_ERRORS 
| streamstats dc(search) AS rank 
| eventstats first(rank) AS rank BY search 
| rename COMMENT AS "Pad with spaces to ensure that the search with the most errors show up leftmost!" 
| eval search = printf("%*s", len(search) + rank, search) 
| fields - rank TOTAL_ERRORS
| addcoltotals labelfield=_time label="Total Sum" 
| xyseries _time search errors 

| addtotals 
| sort _time desc 
| table _time, Total, * 
| where Total != 0 
| rename Total AS "#Alerts/h"

Yes, this means we are doing the totalling twice.

0 Karma

adobrzeniecki
Path Finder

How would i do the same thing with this search?

index="prod_license_summary" | rename indexname as idx | eval GB=MB/1024 | lookup index_list.csv idx OUTPUTNEW idx environment owner
| table _time idx sourcetypename GB environment owner | where owner="ghprod" AND environment="prod"
| timechart limit=0 span=1d sum(GB) by sourcetypename
| fillnull value=0
| addcoltotals labelfield=_time label="Total"
| sort Total

0 Karma

to4kawa
Ultra Champion
index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" ) 
| rex field=savedsearch_id "(.+;.+;(?P<title>.+))" 
| timechart useother=f limit=200 span=1h count by title 
| addcoltotals labelfield=_time 
| table _time * 
| tail 1 
| fields - _* 
| transpose 0 
| sort - "row 1" 
| rename "row 1" as "Total Sum" 
| transpose 0 header_field=column column_name=_time 
| append 
    [ search index="_internal" sourcetype="scheduler" thread_id="AlertNotifier*" NOT (alert_actions="summary_index"OR alert_actions="" ) 
    | rex field=savedsearch_id "(.+;.+;(?P<title>.+))" 
    | timechart useother=f limit=200 span=1h count by title 
    | reverse] 
| reverse 
| addtotals 
| sort _time desc 
| table _time, Total, * 
| where Total != 0 
| rename Total AS "#Alerts/h"

First: make header with appropriate order.
Second: append original query results. At that time, reverse the time order.
Last: reverse and display them

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...