Dashboards & Visualizations

How do I reorder columns in xyseries?

lyndac
Contributor

Splunk Enterprise 6.4.1.
I am trying to create a single table that displays data like this:

                         Priority 1       Priority 2           Priority 3
  server         Count       Volume       Count    Volume      Count   Volume
server-1           123         2.34       10       .13         75      1.72
server-2           195         2.32       15       .19         174     1.93

However, using the xyseries command, the data is output like this:

server             count:1    count:2  count:3   volume:1 volume:2   volume:3
server-1           123        10       75        2.34     .13        1.72
server-2           195        15       174       2.32     .19        1.93

I think we can live with the column headers looking like "count:1" etc, but is it possible to rearrange the columns so that the columns for count/volume for a specific priority are side-by-side? This is the search I use to generate the table:

index=foo | stats count as count sum(filesize) as volume by priority, server | xyseries server priority count volume | fill null

Ideally, I'd like to change the column headers to be multiline like

Priority 1 
  count     
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated

index=foo | chart count as count sum(filesize) as volume by server priority  | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated

index=foo | chart count as count sum(filesize) as volume by server priority  | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
0 Karma

lyndac
Contributor

Works great! As an aside, I was able to use the same rename command with my original search. I didn't know you could use the wildcard in that way. Very cool!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...