https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337433#M100119 <P>Hello @elliotproebstel </P> <P>I have tried using Transpose earlier. However it is not showing the complete results. Some of the sources and months are missing in the final result and that is the reason I went for xyseries. <BR /> Using Transpose, I get only 4 months and 5 processes which should be more than 10 each.</P> <P>Thanks</P> Fri, 09 Mar 2018 15:30:11 GMT maria2691 2018-03-09T15:30:11Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337431#M100117 <P>Hello Everyone</P> <P>Below is my search query:</P> <PRE><CODE>base search | fillnull TimesRan value=1 | bucket span=1mon _time | stats sum(TimesRan) as timesran by source _time | sort by _time asc | eval _time=strftime(_time,"%b - %Y") | xyseries source, _time, timesran | fillnull value=0 | rename source as "Process" </CODE></PRE> <P>Now the results are like, </P> <P>Process Aug - 2017 Dec - 2017 Feb - 2018 Jan - 2018<BR /> hdjdd 21 16 15 15<BR /><BR /> hsfjd 0 172 143 164<BR /> hdjd 0 0 2 0<BR /><BR /> jhdjdk 0 39 54 59</P> <P>Even though I have sorted the months before using xyseries, the command is again sorting the months by Alphabetical order. How do I avoid it so that the months are shown in a proper order.</P> <P>Thanks<BR /> Maria Arokiaraj</P> Fri, 09 Mar 2018 14:58:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337431#M100117 maria2691 2018-03-09T14:58:20Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337432#M100118 <P>There might be a cleaner way to do this, but this should work:</P> <PRE><CODE>base search | fillnull TimesRan value=1 | bucket span=1mon _time | stats sum(TimesRan) as timesran by source _time | xyseries source, _time, timesran | fillnull value=0 | rename source as "Process" | transpose | eval column=if(column!="Process", strftime(column,"%b - %Y"), column) | transpose header_field=column | fields - column </CODE></PRE> Fri, 09 Mar 2018 15:26:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337432#M100118 elliotproebstel 2018-03-09T15:26:22Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337433#M100119 <P>Hello @elliotproebstel </P> <P>I have tried using Transpose earlier. However it is not showing the complete results. Some of the sources and months are missing in the final result and that is the reason I went for xyseries. <BR /> Using Transpose, I get only 4 months and 5 processes which should be more than 10 each.</P> <P>Thanks</P> Fri, 09 Mar 2018 15:30:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337433#M100119 maria2691 2018-03-09T15:30:11Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337434#M100120 <P>Ah, sure! The <CODE>transpose</CODE> command defaults to only 5 rows. Try this:</P> <PRE><CODE>base search | fillnull TimesRan value=1 | bucket span=1mon _time | stats sum(TimesRan) as timesran by source _time | xyseries source, _time, timesran | fillnull value=0 | rename source as "Process" | transpose 0 | eval column=if(column!="Process", strftime(column,"%b - %Y"), column) | transpose 0 header_field=column | fields - column </CODE></PRE> Fri, 09 Mar 2018 15:46:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337434#M100120 elliotproebstel 2018-03-09T15:46:40Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337435#M100121 <P>Thanks a lot @elliotproebstel. It worked <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 09 Mar 2018 15:49:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337435#M100121 maria2691 2018-03-09T15:49:08Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337436#M100122 <P>Great! Glad you got it working.</P> Fri, 09 Mar 2018 15:51:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337436#M100122 elliotproebstel 2018-03-09T15:51:03Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337437#M100123 <P>I have a similar issue..<BR /> base search | stats count by Month,date_year,date_month, SLAMet, ReportNamewithextn | sort date_year date_month | fields Month ReportNamewithextn count | xyseries ReportNamewithextn Month count | fillnull value=0 | rename ReportNamewithextn as "ReportName"</P> <P>Result:</P> <P>Report Name Apr 2018 Aug 2018 Dec 2018 Feb 2018<BR /> aaaaaaaaa 3 5 3 2</P> <P>It needs to be ordered by Mon Year chronologically. I tried above solution, but it doesn't work. Can you please help</P> Tue, 29 Sep 2020 22:48:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337437#M100123 josephro 2020-09-29T22:48:38Z https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337438#M100124 <P>I have a similar issue..<BR /> base search | stats count by Month,date_year,date_month, SLAMet, ReportNamewithextn | sort date_year date_month | fields Month ReportNamewithextn count | xyseries ReportNamewithextn Month count | fillnull value=0 | rename ReportNamewithextn as "ReportName"</P> <P>Result:</P> <P>Report Name Apr 2018 Aug 2018 Dec 2018 Feb 2018<BR /> aaaaaaaaa 3 5 3 2</P> Tue, 29 Sep 2020 22:48:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Avoid-alphabetical-sorting-on-xyseries-command/m-p/337438#M100124 josephro 2020-09-29T22:48:40Z