Solved: How to sort fields ?

Marco_Develops · ‎04-20-2022

I am currently using a bar chart visualization but I need to sort the bars by descending order.

I can't use a simple chart count by EVNTSEVCAT | sort -count because the SEVCAT field contains multiple values and we only need I,II, and III.

below is my query

search * 
| eval CATI = if(SEVCAT=="I", 1,0) 
| eval CATII = if(SEVCAT=="II", 1,0) 
| eval CATIII = if(SEVCAT=="III", 1,0) 
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose

The visualization:

I need the visualization to be sorted in descending order. Any suggestions help :-).

Thank you,

Marco

ITWhisperer · ‎04-20-2022

| transpose 0 header_field=cat column_name=cat
| sort 0 - "row 1"
| transpose 0 header_field=cat column_name=cat
| fields - cat

View solution in original post

ITWhisperer · ‎04-20-2022

Do you mean sort the names in descending order or the values in descending order?

Marco_Develops · ‎04-20-2022

The values in descending order.

The table below represents my bar chart:

sum(CATI)	sum(CATII)	sum(CATIII)
7	141	3

I want the bar chart to sort it out in descending order, so that way sum(CATII) shows first, sum(CATI) second, ,and sum(CATIII) third

-Marco

ITWhisperer · ‎04-20-2022

| transpose 0 header_field=cat column_name=cat
| sort 0 - "row 1"
| transpose 0 header_field=cat column_name=cat
| fields - cat

Marco_Develops · ‎04-20-2022

@ITWhisperer Thank you I modified it a bit and it works. For people in the future, this is the final query, with the final visualization.

search * 
| eval CATI = if(SEVCAT=="I", 1,0) 
| eval CATII = if(SEVCAT=="II", 1,0) 
| eval CATIII = if(SEVCAT=="III", 1,0) 
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose
| sort - "row 1"

-Marco

How to sort fields ?

panel

simple XML

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...