Dashboards & Visualizations

How to sort fields ?

Marco_Develops
Path Finder

I am currently using a bar chart visualization but I need to sort the bars by descending order. 

I can't use a simple  chart count by EVNTSEVCAT | sort -count  because the SEVCAT field contains multiple values and we only need I,II, and III.

below is my query

 

 

 

 

search * 
| eval CATI = if(SEVCAT=="I", 1,0) 
| eval CATII = if(SEVCAT=="II", 1,0) 
| eval CATIII = if(SEVCAT=="III", 1,0) 
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose

 

 

 

 

 

The visualization:

sort.PNG

 

I need the visualization to be sorted in descending order. Any suggestions help :-).

 

Thank you,

Marco

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| transpose 0 header_field=cat column_name=cat
| sort 0 - "row 1"
| transpose 0 header_field=cat column_name=cat
| fields - cat

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Do you mean sort the names in descending order or the values in descending order?

0 Karma

Marco_Develops
Path Finder

The values in descending order. 

The table below represents my bar chart: 

sum(CATI)sum(CATII)sum(CATIII)
71413

 

I want the bar chart to sort it out in descending order, so that way sum(CATII) shows first, sum(CATI) second, ,and sum(CATIII) third

 

-Marco 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| transpose 0 header_field=cat column_name=cat
| sort 0 - "row 1"
| transpose 0 header_field=cat column_name=cat
| fields - cat

Marco_Develops
Path Finder

@ITWhisperer  Thank you I modified it a bit and it works. For people in the future, this is the final query, with the final visualization.

search * 
| eval CATI = if(SEVCAT=="I", 1,0) 
| eval CATII = if(SEVCAT=="II", 1,0) 
| eval CATIII = if(SEVCAT=="III", 1,0) 
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose
| sort - "row 1"

 

final.PNG

 

-Marco 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...