topic Re: How can I sort the order of my sources to appear in my chart? in Splunk Search

How can I sort the order of my sources to appear in my chart?

MichaelPriest — Wed, 22 Jul 2015 12:27:51 GMT

Hoping someone can help me out. This is my search:

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | fields - Total

And it returns this:

Currently each column is a different source, so 3 in total, called May 2015, June 2015, July 2015.

The problem that i have is that on my chart, it's displaying as July 2015, June 2015, May 2015.

How can i alter the search so it's displaying correctly?

Re: How can I sort the order of my sources to appear in my chart?

MichaelPriest — Wed, 22 Jul 2015 13:16:03 GMT

The search has changed to:

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total

Re: How can I sort the order of my sources to appear in my chart?

senthilgoa — Tue, 29 Sep 2020 06:46:21 GMT

Use the search below:

index=win_srv_perf host=host  (source="Perfmon:FreeDiskSpace" OR source="Perfmon:LogicalDisk" OR source="Perfmon:LocalNetwork") |eval Time = strftime(_time,"%Y_%m_%B") | chart count by source Time | addtotals | sort -Total

|eval Time = strftime(_time,"%Y_%m_%B") you get
2015_05_May
2015_06_June

2015_07_July

now you get correct order

Re: How can I sort the order of my sources to appear in my chart?

MichaelPriest — Wed, 22 Jul 2015 15:21:18 GMT

This didn't work i'm afraid. It needs to be by source and business_service in the chart command. Any other suggestions?

Re: How can I sort the order of my sources to appear in my chart?

senthilgoa — Wed, 22 Jul 2015 15:34:24 GMT

instead of source and business_service i used source and Time. you will change according to your fields

Re: How can I sort the order of my sources to appear in my chart?

MichaelPriest — Wed, 22 Jul 2015 15:56:40 GMT

Yes i tried your way and it ordered the sources correctly, i.e. May June July. But it only gave me a overall total for each source. I want to see each source by business_service. it will be broken down by 3:

for each source get the total count by business_service and order it by Time (so it displays it as May June July)

If i need to give more clarity let me know 🙂

thanks

Re: How can I sort the order of my sources to appear in my chart?

woodcock — Fri, 24 Jul 2015 19:13:20 GMT

You can use fields to manually reorder them OR you can create another field, sort by it, and then remove it like this

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total | eval Time=strptime(Business_Service, "%B %Y") | sort 0 Time | fields - Time

Re: How can I sort the order of my sources to appear in my chart?

somesoni2 — Fri, 24 Jul 2015 22:36:48 GMT

This should do the trick

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | table Business_Service [| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source | eval epoch=strptime(source,"%B %Y") | sort epoch asc | stats list(source) as source delim="," | nomv source | return $source]