https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528329#M149173 <P>Hi</P><P>I'm trying to draw a distribution histogram of the duration to complete a specific action. The search is:</P><P>&nbsp;</P><LI-CODE lang="markup">index=index1 STATUS=Executed | eval EXECUTED_DATE_e = strptime(EXECUTED_DATE, "%Y-%m-%d %H:%M:%S.%1N") | eval START_DATE_e = strptime(START_DATE, "%Y-%m-%d %H:%M:%S.%1N") | eval TTR = EXECUTED_DATE_e - START_DATE_e | bin bins=100 TTR | stats count by TTR</LI-CODE><P>&nbsp;</P><P>This produces the correct bins and counts, but the order is alphanumeric, which places 1000000-2000000 directly after 100000-200000, instead of 200000-300000. If I plot this result the bins are in the wrong location, and I cannot clearly interpret the distribution histogram.</P><TABLE><TBODY><TR><TD width="151px">-100000-0</TD><TD width="69px">27531</TD></TR><TR><TD width="151px">0-100000</TD><TD width="69px">151267</TD></TR><TR><TD width="151px">100000-200000</TD><TD width="69px">14649</TD></TR><TR><TD width="151px">1000000-1100000</TD><TD width="69px">361</TD></TR><TR><TD width="151px">1100000-1200000</TD><TD width="69px">371</TD></TR><TR><TD width="151px">1200000-1300000</TD><TD width="69px">197</TD></TR><TR><TD width="151px">1300000-1400000</TD><TD width="69px">119</TD></TR><TR><TD width="151px">1400000-1500000</TD><TD width="69px">70</TD></TR><TR><TD width="151px">1500000-1600000</TD><TD width="69px">64</TD></TR><TR><TD width="151px">1600000-1700000</TD><TD width="69px">111</TD></TR><TR><TD width="151px">1700000-1800000</TD><TD width="69px">76</TD></TR><TR><TD width="151px">1800000-1900000</TD><TD width="69px">69</TD></TR><TR><TD width="151px">1900000-2000000</TD><TD width="69px">27</TD></TR><TR><TD width="151px">200000-300000</TD><TD width="69px">8390</TD></TR><TR><TD width="151px">2000000-2100000</TD><TD width="69px">20</TD></TR><TR><TD width="151px">2100000-2200000</TD><TD width="69px">22</TD></TR><TR><TD width="151px">2200000-2300000</TD><TD width="69px">12</TD></TR><TR><TD width="151px">2300000-2400000</TD><TD width="69px">10</TD></TR><TR><TD width="151px">2400000-2500000</TD><TD width="69px">8</TD></TR></TBODY></TABLE> Fri, 06 Nov 2020 13:33:35 GMT BernardEAI 2020-11-06T13:33:35Z https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528329#M149173 <P>Hi</P><P>I'm trying to draw a distribution histogram of the duration to complete a specific action. The search is:</P><P>&nbsp;</P><LI-CODE lang="markup">index=index1 STATUS=Executed | eval EXECUTED_DATE_e = strptime(EXECUTED_DATE, "%Y-%m-%d %H:%M:%S.%1N") | eval START_DATE_e = strptime(START_DATE, "%Y-%m-%d %H:%M:%S.%1N") | eval TTR = EXECUTED_DATE_e - START_DATE_e | bin bins=100 TTR | stats count by TTR</LI-CODE><P>&nbsp;</P><P>This produces the correct bins and counts, but the order is alphanumeric, which places 1000000-2000000 directly after 100000-200000, instead of 200000-300000. If I plot this result the bins are in the wrong location, and I cannot clearly interpret the distribution histogram.</P><TABLE><TBODY><TR><TD width="151px">-100000-0</TD><TD width="69px">27531</TD></TR><TR><TD width="151px">0-100000</TD><TD width="69px">151267</TD></TR><TR><TD width="151px">100000-200000</TD><TD width="69px">14649</TD></TR><TR><TD width="151px">1000000-1100000</TD><TD width="69px">361</TD></TR><TR><TD width="151px">1100000-1200000</TD><TD width="69px">371</TD></TR><TR><TD width="151px">1200000-1300000</TD><TD width="69px">197</TD></TR><TR><TD width="151px">1300000-1400000</TD><TD width="69px">119</TD></TR><TR><TD width="151px">1400000-1500000</TD><TD width="69px">70</TD></TR><TR><TD width="151px">1500000-1600000</TD><TD width="69px">64</TD></TR><TR><TD width="151px">1600000-1700000</TD><TD width="69px">111</TD></TR><TR><TD width="151px">1700000-1800000</TD><TD width="69px">76</TD></TR><TR><TD width="151px">1800000-1900000</TD><TD width="69px">69</TD></TR><TR><TD width="151px">1900000-2000000</TD><TD width="69px">27</TD></TR><TR><TD width="151px">200000-300000</TD><TD width="69px">8390</TD></TR><TR><TD width="151px">2000000-2100000</TD><TD width="69px">20</TD></TR><TR><TD width="151px">2100000-2200000</TD><TD width="69px">22</TD></TR><TR><TD width="151px">2200000-2300000</TD><TD width="69px">12</TD></TR><TR><TD width="151px">2300000-2400000</TD><TD width="69px">10</TD></TR><TR><TD width="151px">2400000-2500000</TD><TD width="69px">8</TD></TR></TBODY></TABLE> Fri, 06 Nov 2020 13:33:35 GMT https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528329#M149173 BernardEAI 2020-11-06T13:33:35Z https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528331#M149175 <P>The bin labels are strings rather than integers so they sort lexicographically.&nbsp; Try this alternative</P><LI-CODE lang="markup">... | stats count, first(START_DATE_e) as start by TTR | sort + start | fields - start</LI-CODE> Fri, 06 Nov 2020 13:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528331#M149175 richgalloway 2020-11-06T13:50:42Z https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528830#M149316 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>I tried this solution, but it didn't work. I eventually solved this by making a kvstore from a csv file, in which I defined the bins and their order. I could then get an order for each TTR bin, and then sort according to that order. For this to work you need to define the span and stick to it, otherwise the bin string changes, and then the lookup doesn't work anymore.</P><P>Therefore:</P><LI-CODE lang="markup">bin span=1 TTR</LI-CODE><P>rather than:</P><LI-CODE lang="markup">bin bins=400 TTR</LI-CODE><P>&nbsp;</P> Tue, 10 Nov 2020 13:40:08 GMT https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/528830#M149316 BernardEAI 2020-11-10T13:40:08Z https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/649582#M224597 <P><SPAN>richgalloway's solution works, it was just missing one line of code. Try something like this:</SPAN></P><P><SPAN>| bin indexlag as bin bins=100<BR />| stats min(indexlag) as starting_value count BY bin<BR />| sort starting_value<BR />| fields - starting_value</SPAN></P><P>&nbsp;</P> Fri, 07 Jul 2023 07:11:30 GMT https://community.splunk.com/t5/Splunk-Search/Sort-result-of-bin-to-draw-distribution-histogram/m-p/649582#M224597 romedome 2023-07-07T07:11:30Z