Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sorting of Columns in Saved Search

ppurokit
Path Finder
‎09-10-2013 04:59 AM

Hello everyone,

I have a table like the below example:

|| Protocol || Count ||

|| TCP || 500 ||

|| UDP || 200 ||

|| Total || 700 ||

I have made use of the addcoltotals to get the total count of the count column.

So now when I click on the default column sorting available , it's sorting taking into account the "Total" row also and hence the sorting is not perfect.

Is there a way in which i can make the "Total" row fixed and sort only the rows which are fetched from the search query?

Tags (3)
0 Karma
Reply

rturk
Builder
‎09-10-2013 05:15 AM

Hi Ppurokit,

Once you apply addcoltotals Splunk treats the newly added information as a new row along with the rest of them.. as far as I know there's no way around this.

If you are looking to put this in a static dashboard, or in a emailed report however, applying the sort before adding the column totals will ensure that your table is sorted as required with the totals down the bottom.

<base search> | sort -count | addcoltotals

NOTE: Selecting to sort the columns by clicking the headers will break this behaviour, and you will need to refresh the browser window (not just re-submit the search).

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...