Sorting the splunk timechart table with the values in descending order based on a row's values in the timechart table

Question

This is my splunk query

index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by
errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total

I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype

_time       A....   A....   C....   D....   E....

2021-08-25  11      22      05      23      89  
2021-08-26  15      45      45      13      39  
2021-08-27  34      05      55      33      85
2021-08-28  56      08      65      53      09
2021-08-29  01      06      95      36      01
TOTAL       117     86      265     158     223

I want these sorted by value in TOTAL row in descending order like

265 223 158 117 86 

But i am always getting this in alphabetical order of the errortype like

A... A... B...

how can i improve this query to get the sorted result like i want?

Answer 1

To do that, transpose the results so the TOTAL field is a column instead of the row. Then sort on TOTAL and transpose the results back. Here's a run-anywhere example:

index=_internal 
| timechart span="5m" count by component  
| addcoltotals labelfield=_time label="TOTAL"
| transpose header_field="_time" 0
| sort - TOTAL
| transpose header_field="column" 0
| rename column as _time