https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165974#M47212 <P>If this has answered your question, please mark it accepted. Thanks!</P> Wed, 04 Dec 2013 16:52:06 GMT alacercogitatus 2013-12-04T16:52:06Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165968#M47206 <P>Hi,</P> <P>I've got a timechart with several columns. The headers of these columns are numbers (0,1,2,3... etc) and I would like to sort the columns ascending. With the sort command it doesn't work, perhaps somebody can help me here <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks in advance</P> <P>Heinz</P> Thu, 27 Oct 2022 13:45:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165968#M47206 HeinzWaescher 2022-10-27T13:45:30Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165969#M47207 <P>Fields can be "sorted" using the <CODE>fields</CODE> command.</P> <P><CODE>your_search | fields col0 col1 col2 col3 col4 col5</CODE></P> <P>Per <CODE><A href="http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Use_proper_field_name_syntax" target="test_blank">http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles#Use_proper_field_name_syntax</A></CODE>, you may not have fields that begin with 0-9.</P> <P><CODE>Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.</CODE></P> <P><EM>=EDIT=</EM></P> <P>Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:</P> <P><CODE>your_search | eval tt = case(X&lt;10,"00".X,X&lt;100,"0".X,1=1,X) | timechart count by tt</CODE></P> <P>Add additional case statements for each increase in the tens place, and make sure the padding is correct. </P> Wed, 04 Dec 2013 12:23:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165969#M47207 alacercogitatus 2013-12-04T12:23:59Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165970#M47208 <P>hi,</P> <P>thanks for your answer. The headers are values of a field "X", which I create during my search. The command looks like this:</P> <P>| timechart span=1d dc(user) by X</P> <P>So it's not about sorting fields, but sorting the values of field X (which are the column headers in the shown chart).</P> Wed, 04 Dec 2013 13:09:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165970#M47208 HeinzWaescher 2013-12-04T13:09:16Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165971#M47209 <P>See edit above.</P> Wed, 04 Dec 2013 15:15:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165971#M47209 alacercogitatus 2013-12-04T15:15:08Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165972#M47210 <P>This seems to work fine, thanks!</P> <P>To get sure, that I understand what I'm doing here:<BR /> Could you explain why are we using a "dot" in the the Y argument? And what's the use last pair "(1=1,X)?</P> Wed, 04 Dec 2013 15:55:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165972#M47210 HeinzWaescher 2013-12-04T15:55:59Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165973#M47211 <P>The "." is combining the string "0" with the value of X. The last pair makes sure that anything not matching in the case statement will assign the value of X to the field "tt", to make sure they are all there.</P> Wed, 04 Dec 2013 16:14:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165973#M47211 alacercogitatus 2013-12-04T16:14:13Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165974#M47212 <P>If this has answered your question, please mark it accepted. Thanks!</P> Wed, 04 Dec 2013 16:52:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/165974#M47212 alacercogitatus 2013-12-04T16:52:06Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/618512#M214978 <P>Thank you so much.</P><P>&nbsp;</P><P>Best Regards,</P><P>CR</P> Thu, 27 Oct 2022 02:33:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-column-headers-in-timechart/m-p/618512#M214978 chakuttha 2022-10-27T02:33:32Z