Not to necro this thread, but... This page still turns up in Google so let's update it with an answer! The following seems to fix the suggested code (at least here in the year 2022...) yoursearchhere
| chart count by field1, field2
| addtotals fieldname=totalCount
| sort 0 totalCount
| fields - totalCount Alternatively, you should be able to accept the default field created by addtotals (i.e. it is named "Total") Which simplifies the code to... yoursearchhere
| chart count by field1, field2
| addtotals
| sort 0 Total
| fields - Total For more information, refer to the addtotals documentation: addtotals - Splunk Documentation refer to the sort documentation also sort - Splunk Documentation the sort 0 above is discussed there <count> Syntax: <int> | limit=<int> Description: Specify the number of results to return from the sorted results. If no count is specified, the default limit of 10000 is used. If 0 is specified, all results are returned. *** NOTE *** You can specify the count using an integer or precede the count with a label, for example limit=10. *** NOTE *** Using sort 0 might have a negative impact performance, depending on how many results are returned. If you want for example, the top 10 "results" in descending order then you do the following ... Note the minus character ("-") in front the Total field, this reverses the sort order iirc. Below I used the "limit=10" rather than "10" just because it makes the code more readable yoursearchhere
| chart count by field1, field2
| addtotals
| sort limit=10 -Total
| fields - Total PS. You should be able to adapt the other example from lguinn2 in the same way "This works well as long as field1 does not contain numeric values. If it does, then you can do this..." yoursearchhere
| chart count by field1, field2
| addtotals fieldname=totalCount
| eval totalCount = totalCount - field1
| sort 0 totalCount
| fields - totalCount
... View more