https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345119#M102256 <P>Hi <A href="mailto:patrick.okeeffe@icbc.com">patrick.okeeffe@icbc.com</A>,<BR /> I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.<BR /> Anyway I had a customer that asked to me something near your request and I solved in this way:</P> <PRE><CODE>index=_internal source=*access.log GET sourcetype=splunk_web_access | search "/app/" | rex field=_raw "\/app\/(?&lt;appName&gt;\S+)\/" | bin span=1d _time | search appName!=launcher OR appName!=search | eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S") | stats count by column | sort -count </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 07 Nov 2017 08:05:23 GMT gcusello 2017-11-07T08:05:23Z https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345117#M102254 <P>Hello,</P> <P>I'm trying to display a graph of the my Splunk applications by usage, highest to lowest within a given time period. Can I sort so I can see highest on the left to lowest over say 7 days. This is what I have now:</P> <P>index=_internal source=*access.log GET sourcetype=splunk_web_access <BR /> | search "/app/" <BR /> | rex field=_raw "\/app\/(?\S+)\/" <BR /> | timechart span=1d count by appName usenull=f useother=f <BR /> | fields - launcher, search</P> <P>I tried sorting by appName, count etc but no change.</P> <P>here is what the current timechart looks like:<BR /> <IMG src="https://community.splunk.com/storage/temp/218703-graph.png" alt="alt text" /></P> Tue, 29 Sep 2020 16:34:56 GMT https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345117#M102254 patrick_okeeffe 2020-09-29T16:34:56Z https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345118#M102255 <P>What you are asking for doesn't make much sense to me. <CODE>timechart</CODE> is charting over a period of time... that is what determines left vs right. </P> <P>I don't believe you can have each day sort from highest to lowest, retaining color...That would lose the visual anchoring that tells you which color orange is which series, and multiple oranges or blues would end up next to each other, making it even more difficult to read. </P> <P>You might consider switching to a line chart rather than a bar chart, since with this data that would be more understandable.</P> Tue, 07 Nov 2017 02:01:11 GMT https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345118#M102255 DalJeanis 2017-11-07T02:01:11Z https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345119#M102256 <P>Hi <A href="mailto:patrick.okeeffe@icbc.com">patrick.okeeffe@icbc.com</A>,<BR /> I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.<BR /> Anyway I had a customer that asked to me something near your request and I solved in this way:</P> <PRE><CODE>index=_internal source=*access.log GET sourcetype=splunk_web_access | search "/app/" | rex field=_raw "\/app\/(?&lt;appName&gt;\S+)\/" | bin span=1d _time | search appName!=launcher OR appName!=search | eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S") | stats count by column | sort -count </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 07 Nov 2017 08:05:23 GMT https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345119#M102256 gcusello 2017-11-07T08:05:23Z https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345120#M102257 <P>Thank you both. Appreciate the feedback.</P> <P>I was thinking it would be visually easier to use a bar chart that showed me the highest to lowest, left to right within any given day. But the line chart makes sense.</P> <P>Cheers,<BR /> Patrick</P> Tue, 07 Nov 2017 16:59:55 GMT https://community.splunk.com/t5/Splunk-Search/Sort-highest-to-lowest-over-time-with-timechart/m-p/345120#M102257 patrick_okeeffe 2017-11-07T16:59:55Z