<param name="search">eventtype="metrics" | stats count(eval(JobStatus="JOB.FINISHED")) as JobCompleted, count(eval(JobStatus="JOB.PENDING")) as JobPending by Stage | eval total=(JobCompleted/JobPending)*100 | chart values(total) as "Percentage" by Stage | lookup stage_lookup Stage OUTPUT StageName | fields - Stage | table StageName, Percentage | rename StageName as "Stage Name"</param>
it'll display bar chart in following order
Application - x% graph System - x% graph Online - x% graph Report - x% graph SOD - x% graph
I want to change the order to following
Application - x% graph SOD - x% graph Report - x% graph System - x% graph Online - x% graph
You may find a better answer here:
but I solve using eval below: (most will recommend case instead of if)
| eval StageNameNew=if(StageName="Application","1. Application",if(StageName="SOD","2. SOD",if(StageName="Report","3. Report",if(StageName="System","4. System",if(StageName="Online","5. Online","Other or Unknown Stage")))))| table StageNameNew, Percentage | rename StageNameNew as StageName
UI looks very ugly and I don't want to any prefix before Job type.
Is there any other alternate? How Splunk decide the field order?
fields command, like so:
| table StageName Percentage | chart max(Percentage) as Percentage by StageName | transpose column_name="Title" header_field=StageName | fields Title Application SOD Report System Online
Note that I had to use
transpose to move the Percentage values to columns. For timecharts, you wouldn't need to do that.