I am currently using a bar chart visualization but I need to sort the bars by descending order.
I can't use a simple chart count by EVNTSEVCAT | sort -count because the SEVCAT field contains multiple values and we only need I,II, and III.
below is my query
search *
| eval CATI = if(SEVCAT=="I", 1,0)
| eval CATII = if(SEVCAT=="II", 1,0)
| eval CATIII = if(SEVCAT=="III", 1,0)
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose
The visualization:
I need the visualization to be sorted in descending order. Any suggestions help :-).
Thank you,
Marco
1 Solution
@ITWhisperer Thank you I modified it a bit and it works. For people in the future, this is the final query, with the final visualization.
search *
| eval CATI = if(SEVCAT=="I", 1,0)
| eval CATII = if(SEVCAT=="II", 1,0)
| eval CATIII = if(SEVCAT=="III", 1,0)
| chart sum(CATI) sum(CATII) sum(CATIII)
| transpose
| sort - "row 1"
-Marco
