https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377305#M110687 <P>While this sort the fields the output which is the count is empty. The result is empty .</P> Tue, 06 Nov 2018 16:50:11 GMT archu_01 2018-11-06T16:50:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377303#M110685 <P>I am trying to sort the data month wise using the chart command. However the month is getting sorted alphabetically.</P> <P>I tried referring the older post around the same topic, but none of solution works.</P> <P>Tried all of these options </P> <P>base search | eval Month =strftime(_time,"%b") | chart count over rules by Month<BR /> base search | eval Month =strftime(_time,"%b") | chart count over rules by Month | eval sort=case(Month=="Jan","1",<BR /> Month=="Feb","2", Month=="Mar","3", Month=="Apr","4", Month=="May","5", Month=="Jun","6", Month=="Jul","7",<BR /><BR /> Month=="Aug","8", Month=="Sep","9", Month=="Oct","10", Month=="Nov","11", Month=="Dec","12")|sort sort |fields - <BR /> sort</P> <P>The query that works is by numeric(as shown below) , but how do I convert the numeric to represent "month Name" as "Sep 2018,oct 2018 "?</P> <PRE><CODE>base search | eval Monthnum =strftime(_time,"%m") | chart count over rules by Monthnum </CODE></PRE> Tue, 29 Sep 2020 21:55:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377303#M110685 archu_01 2020-09-29T21:55:17Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377304#M110686 <P>@archu_01,</P> <P>Try specifying the month names with <CODE>fields</CODE></P> <PRE><CODE>base search | eval Month =strftime(_time,"%b") | chart count over rules by Month |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec </CODE></PRE> Tue, 06 Nov 2018 07:18:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377304#M110686 renjith_nair 2018-11-06T07:18:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377305#M110687 <P>While this sort the fields the output which is the count is empty. The result is empty .</P> Tue, 06 Nov 2018 16:50:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377305#M110687 archu_01 2018-11-06T16:50:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377306#M110688 <P>rechecked the result set, the data is working. however if I set the time frame to last 90 days then how can we display the data just to show Aug,sep,oct, Nov ? since we mentioned all the months in the fields command other months populate as results and show 0 count ?</P> <P>rules Jan feb Mar Apr Jun Jul Aug Sep Oct Nov Dec<BR /> xxx 200 10 300 500</P> Tue, 06 Nov 2018 17:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377306#M110688 archu_01 2018-11-06T17:08:16Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377307#M110689 <P>I got what you mean. I will try for a solution and meanwhile I will move as a comment so that others might be able to help you</P> Wed, 07 Nov 2018 05:49:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377307#M110689 renjith_nair 2018-11-07T05:49:48Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377308#M110690 <P>@archu_01,</P> <P>Try this and see if it works for you</P> <PRE><CODE> base search | eval Month =strftime(_time,"%b") | chart count over rules by Month |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec |transpose|transpose header_field=column |fields - column </CODE></PRE> Wed, 07 Nov 2018 13:28:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377308#M110690 renjith_nair 2018-11-07T13:28:14Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377309#M110691 <P>cool this works. I haven't used transpose but looks like the query limits the rows only to 5, can we make the limit 0 ?</P> Wed, 07 Nov 2018 16:18:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377309#M110691 archu_01 2018-11-07T16:18:21Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377310#M110692 <P>@archu_01,<BR /> yes ofcourse, just add <CODE>transpose 0</CODE></P> <P>See the int in <A href="http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Transpose#Optional_arguments">http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Transpose#Optional_arguments</A></P> Thu, 08 Nov 2018 05:39:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377310#M110692 renjith_nair 2018-11-08T05:39:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377311#M110693 <P>Thanks this works !!</P> Fri, 09 Nov 2018 08:04:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-chart-command-returning-months-in-alphabetical-order/m-p/377311#M110693 archu_01 2018-11-09T08:04:53Z