https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77537#M19596 <P>The way we found to do this was with a subsearch and <CODE>return $field</CODE>.</P> <UL> <LI>get your sorting criteria (we ran <CODE>stats</CODE> on a subset of the source data)</LI> <LI>sort the results</LI> <LI>use <CODE>fields</CODE> to pull only the field used for your series</LI> <LI><CODE>mvcombine</CODE> to turn all the records into a single one</LI> <LI>then <CODE>eval</CODE> with <CODE>mvjoin</CODE> to make it into a comma or space-delimited string</LI> <LI>output with <CODE>return $&lt;your list field&gt;</CODE> (the $ returns only the field's value)</LI> </UL> <P>Probably a more efficient way out there, but this seems to work.</P> Tue, 06 Nov 2012 23:22:14 GMT jpreve 2012-11-06T23:22:14Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77532#M19591 <P>We have a timechart that plots the number of entries of a specific type per day. The types are numerical (2, 3, 4...10, 11 at the moment).</P> <P>Right now, doing a "timechart count by type" produces the type of chart we want, except that the first two series are 10 and 11 (so it is being ordered 10, 11, 2, 3, 4, 5, etc...)</P> <P>How do I reorder the search so that the series emerge in numerical order instead of lexicographical?</P> Tue, 26 Oct 2010 02:20:29 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77532#M19591 simumichaelm 2010-10-26T02:20:29Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77533#M19592 <P>Have you tried this route?: <CODE>timechart count by type | sort num(type)</CODE></P> <P>(From: <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Sort" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/Sort</A> )</P> Tue, 26 Oct 2010 05:26:52 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77533#M19592 David 2010-10-26T05:26:52Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77534#M19593 <P>1) If the numbers really are quite small it's probably best to just use the fields command to reorder them. </P> <PRE><CODE>&lt;your search&gt; | fields _time 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 </CODE></PRE> <P>2) or you could look into the <CODE>transpose</CODE> command. You could in theory transpose, sort and then transepose again. However transpose has some strange characteristics and you'd have to use a lot of <CODE>eval</CODE> contortions to end up with what you want.... </P> <P>3) if the numbers are NOT small, you dont want to have a fields command that lists every integer, and you dont mind bucketing the split-by field a little, you can use this: </P> <PRE><CODE>&lt;your search&gt; | timechart count by date_second bins=10 </CODE></PRE> <P>Not many people know this, but if you put a bins argument after a split-by term, it actually buckets the split-by term.... So you end up with column values like "10-20", "20-30", "30-40", "40-50" etc... This may not be what you're looking for, but it has the nice side effect of sorting the buckets numerically. </P> Tue, 18 Jan 2011 12:28:35 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77534#M19593 sideview 2011-01-18T12:28:35Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77535#M19594 <P>Or prefix type with zero. </P> <P>... | eval type=if(type&lt;10,"0"+type,type) | timechart ...</P> Thu, 21 Apr 2011 00:55:13 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77535#M19594 vbumgarner 2011-04-21T00:55:13Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77536#M19595 <P>the sort command will sort the rows by a field called 'type', but in a split-by clause like this the type values are columns. So this question is really about sorting columns not rows.</P> Thu, 21 Apr 2011 07:33:33 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77536#M19595 sideview 2011-04-21T07:33:33Z https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77537#M19596 <P>The way we found to do this was with a subsearch and <CODE>return $field</CODE>.</P> <UL> <LI>get your sorting criteria (we ran <CODE>stats</CODE> on a subset of the source data)</LI> <LI>sort the results</LI> <LI>use <CODE>fields</CODE> to pull only the field used for your series</LI> <LI><CODE>mvcombine</CODE> to turn all the records into a single one</LI> <LI>then <CODE>eval</CODE> with <CODE>mvjoin</CODE> to make it into a comma or space-delimited string</LI> <LI>output with <CODE>return $&lt;your list field&gt;</CODE> (the $ returns only the field's value)</LI> </UL> <P>Probably a more efficient way out there, but this seems to work.</P> Tue, 06 Nov 2012 23:22:14 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-timechart-series/m-p/77537#M19596 jpreve 2012-11-06T23:22:14Z