Dashboards & Visualizations

How to rearrange the columns of a cart command

Trishant
Explorer

I have used this query-

sourcetype="sample data_ui performance" boxtype= "cisco*" build="RC24" | sort +iteration| eval testId = testId + ": " + testcase |
rename testId as Test_CaseID, build as Build, duration as Time_Taken |
chart values(Time_Taken) over Test_CaseID by iteration limit=20 |

and as a result I got
alt text

Now I want to rearrange the columns like 1, 2, 3, 4 and so on. How to do so?? I have tried sort but it didin't work.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@Trishant, you can pad zero to iterations to make them sort as numerical strings i.e. 01, 02, 03... 10, 11 ...

Following example uses printf() function to pad 0 if length of String number is less than 2. printf("%02d",iteration)

sourcetype="sample data_ui performance" boxtype= "cisco*" build="RC24" 
| eval iteration=printf("%02d",iteration)
| eval testId = testId + ": " + testcase 
| rename testId as Test_CaseID, build as Build, duration as Time_Taken 
| chart values(Time_Taken) over Test_CaseID by iteration limit=20

You do not need sort + iteration on second line as mentioned in your search.

While this is just an option, the solution by @DalJeanis is best approach for your scenario. It does not require additional evaluation and it applies sort after dataset is narrowed down to specific results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@Trishant, you can pad zero to iterations to make them sort as numerical strings i.e. 01, 02, 03... 10, 11 ...

Following example uses printf() function to pad 0 if length of String number is less than 2. printf("%02d",iteration)

sourcetype="sample data_ui performance" boxtype= "cisco*" build="RC24" 
| eval iteration=printf("%02d",iteration)
| eval testId = testId + ": " + testcase 
| rename testId as Test_CaseID, build as Build, duration as Time_Taken 
| chart values(Time_Taken) over Test_CaseID by iteration limit=20

You do not need sort + iteration on second line as mentioned in your search.

While this is just an option, the solution by @DalJeanis is best approach for your scenario. It does not require additional evaluation and it applies sort after dataset is narrowed down to specific results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Trishant
Explorer

Many Thanks, this worked for me..

0 Karma

niketn
Legend

@Trishant, glad it worked. Did you try @DalJeanis's answer?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Trishant
Explorer

Yeah I tried that as well but,I am not sure why sort command is not working for my query..

0 Karma

somesoni2
Revered Legend

The chart/timechart/xyseries etc command automatically sorts the column names, treating them as string. There can be a workaround but it's based on assumption that the column names are known and fixed. You can basically add a table command at the end of your search with list of columns in the proper order.

your current search with chart command
| table Test_CaseID 1 2 3 4 5 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

OR

your current search with chart command
| table Test_CaseID [| gentimes start=-1 | eval search=mvrange(1,21) | stats list(search) as search delim="," | nomv search ]

DalJeanis
Legend

It is sorting the iterations as strings rather than numbers.

try this

 | sort + num(iteration)
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...