Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How can I make the months appear in alphabetic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to preserve the logic, columns, and legend of the chart produced by my query but with months in chronological order rather than alphabetical. The solutions I found on here for correcting the month order seem to change the values used for my legend.
How can I make the months appear in alphabetical order without interfering with my chart legend?
|`init("xxx")`
| where strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")>now() AND strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")<=relative_time(now(), "+6mon")
| eval month=strftime(strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N"),"%b")
| table info_subType info_date_reported month
| chart count(info_subType) over month by info_subType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this - if it does nto work, then continue as below:
|`init("xxx")`
| where strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")>now()
AND strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")<=relative_time(now(), "+6mon")
| eval month = relative_time(strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N"),"@mon")
| fields month info_subType
| fieldformat month=strftime(month,"%b")
| chart count over month by info_subType
If the above does not work...
ISO date format is YYYY-MM-DD. This way it is unambiguous, and can be sorted and compared directly without conversion.
If you really need the month written out, and if fieldformat does not work for chart then put the numeric year and month on the front of the formatted date first, like this:
2) | eval month=strftime(strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N"),""%Y-%m %b")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this - if it does nto work, then continue as below:
|`init("xxx")`
| where strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")>now()
AND strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N")<=relative_time(now(), "+6mon")
| eval month = relative_time(strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N"),"@mon")
| fields month info_subType
| fieldformat month=strftime(month,"%b")
| chart count over month by info_subType
If the above does not work...
ISO date format is YYYY-MM-DD. This way it is unambiguous, and can be sorted and compared directly without conversion.
If you really need the month written out, and if fieldformat does not work for chart then put the numeric year and month on the front of the formatted date first, like this:
2) | eval month=strftime(strptime(info_date_reported,"%Y-%m-%d %H:%M:%S.%6N"),""%Y-%m %b")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first one worked perfectly, thanks!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
