https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415855#M1353 <P>@Ropermark you can try out the following SPL</P> <PRE><CODE> index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low | chart count by index, Risk | rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical" | table index 1.* 2.* 3.* 4.* | rename 1.* as *, 2.* as *, 3.* as *, 4.* as * | addtotals </CODE></PRE> <P>Following is a run anywhere search example:</P> <PRE><CODE>| makeresults | eval data="Risk=Critical,index=a OR Risk=High,index=a OR Risk=Medium,index=b OR Risk=Low,index=b OR Risk=Critical,index=b OR Risk=High,index=b OR Risk=Medium,index=b OR Risk=Low,index=b" | makemv data delim=" OR " | mvexpand data | rename data as _raw | KV | chart count by index, Risk | rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical" | table index 1.* 2.* 3.* 4.* | rename 1.* as *, 2.* as *, 3.* as *, 4.* as * | addtotals </CODE></PRE> Mon, 20 Aug 2018 16:06:50 GMT niketn 2018-08-20T16:06:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415853#M1351 <P>Hello all, </P> <P>I am very new to Splunk and I am looking to sort by the following command:</P> <PRE><CODE>index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low | chart count by index, Risk | addtotals </CODE></PRE> <P>But the problem is when I see the result I see in the following order:</P> <PRE><CODE>index - Critical - High - Low - Medium - Total </CODE></PRE> <P>I want to sort that in:</P> <PRE><CODE>Index - Critical - High - Medium - Total </CODE></PRE> <P>Could someone please help me how to sort that. </P> <P>Thanks in advance.</P> Mon, 20 Aug 2018 14:22:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415853#M1351 Ropermark 2018-08-20T14:22:39Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415854#M1352 <P>I suspect someone may be able to come up with a cleaner way, however this is the kind of approach I have taken in the past to this kind of issue.</P> <P><CODE>index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low | <BR /> eval Risk=if(Risk="Critical","1:". Risk,if(Risk="High","2:". Risk,if(Risk="Medium","3:". Risk,"4:". Risk))) |<BR /> chart count by index, Risk | <BR /> rex field=Risk "[0-9]+:(?.+)" |<BR /> addtotals</CODE></P> Mon, 20 Aug 2018 15:56:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415854#M1352 tomawest 2018-08-20T15:56:44Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415855#M1353 <P>@Ropermark you can try out the following SPL</P> <PRE><CODE> index=server-farm Risk=Critical OR Risk=High OR Risk=Medium OR Risk=Low | chart count by index, Risk | rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical" | table index 1.* 2.* 3.* 4.* | rename 1.* as *, 2.* as *, 3.* as *, 4.* as * | addtotals </CODE></PRE> <P>Following is a run anywhere search example:</P> <PRE><CODE>| makeresults | eval data="Risk=Critical,index=a OR Risk=High,index=a OR Risk=Medium,index=b OR Risk=Low,index=b OR Risk=Critical,index=b OR Risk=High,index=b OR Risk=Medium,index=b OR Risk=Low,index=b" | makemv data delim=" OR " | mvexpand data | rename data as _raw | KV | chart count by index, Risk | rename Low as "1.Low",Medium as "2.Medium",High as "3.High",Critical as "4.Critical" | table index 1.* 2.* 3.* 4.* | rename 1.* as *, 2.* as *, 3.* as *, 4.* as * | addtotals </CODE></PRE> Mon, 20 Aug 2018 16:06:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415855#M1353 niketn 2018-08-20T16:06:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415856#M1354 <P>Hello thanks for the reply..<BR /> But the problem is always same.</P> <P>the result query answer is </P> <P>Index | Critial | High | Low | Medium | Total</P> <P>i want low after medium, in this way my graph will be what i want. </P> <P>thanks for your help</P> Fri, 24 Aug 2018 14:20:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415856#M1354 Ropermark 2018-08-24T14:20:08Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415857#M1355 <P>Then use <CODE>rename "1.Medium", "2.Low"...</CODE> in the above SPL.</P> Sat, 25 Aug 2018 18:36:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-sort-severity-in-search/m-p/415857#M1355 niketn 2018-08-25T18:36:47Z