Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I reorder columns in xyseries?

lyndac
Contributor
‎02-17-2017 11:44 AM

Splunk Enterprise 6.4.1.
I am trying to create a single table that displays data like this:

                         Priority 1       Priority 2           Priority 3
  server         Count       Volume       Count    Volume      Count   Volume
server-1           123         2.34       10       .13         75      1.72
server-2           195         2.32       15       .19         174     1.93

However, using the xyseries command, the data is output like this:

server             count:1    count:2  count:3   volume:1 volume:2   volume:3
server-1           123        10       75        2.34     .13        1.72
server-2           195        15       174       2.32     .19        1.93

I think we can live with the column headers looking like "count:1" etc, but is it possible to rearrange the columns so that the columns for count/volume for a specific priority are side-by-side? This is the search I use to generate the table:

index=foo | stats count as count sum(filesize) as volume by priority, server | xyseries server priority count volume | fill null

Ideally, I'd like to change the column headers to be multiline like 

Priority 1 
  count
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2017 12:00 PM

Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated

index=foo | chart count as count sum(filesize) as volume by server priority  | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2017 12:00 PM

Splunk doesn't support multiline headers. Try this workaround to see if this works for you
Updated

index=foo | chart count as count sum(filesize) as volume by server priority  | rename "count: *" as "Priority *:Count" "volume: *" as "Priority *:Volume" | table server *
0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎02-17-2017 12:36 PM

Works great! As an aside, I was able to use the same rename command with my original search. I didn't know you could use the wildcard in that way. Very cool!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...