Dashboards & Visualizations

Reverse Stacked Order of Column Chart

itnewbie
Explorer

Hi, I am new to Splunk. I have a stacked column chart after issuing this query: 

 

(index="A" OR index="B") 
    | chart count(Level) over _time span=1mon by Level usenull=f useother=f

 

where Level has four values: 1,2,3,4

The chart is like this: 
Screenshot 2023-07-20 164327.png

As you can see the stack order is now 2 > 3 > 4 (from top to bottom), what if I want to reverse it to display like 4 > 3 > 2 (from top to bottom). I have seen similar questions here using transpose or reverse, I tried follow but still have no luck. Could anyone help? 

Labels (2)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

appendcols will sort the column names again.

Try it outside the appendcols

(index="A" OR index="B")  
| eval Satisfaction = if(Satisfaction="good with comment", "good", Satisfaction)
| eval Satisfaction = if(Satisfaction="bad with comment", "bad", Satisfaction)
| chart  count(Satisfaction) over _time span=1mon by Satisfaction usenull=f useother=f   
| appendcols  
[ | search (index="A" OR index="B") 
| chart count(Level) over _time span=1mon by Level usenull=f useother=f ]
| transpose 0 header_field=_time column_name=Level
| reverse
| transpose 0 header_field=Level column_name=_time

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

The visualisation with put the bars in the order of the fields, first at the top.

Chart with order the fields in a sorted order, so in your case 1 will be first (and therefore top of the stack).

To rectify this, you could try this

| transpose 0 header_field=_time column_name=level
| reverse
| transpose 0 header_field=level column_name=_time

itnewbie
Explorer

thanks for the reply. It worked. But what if I put it in chart overlay, like this:

(index="A" OR index="B")  
| eval Satisfaction = if(Satisfaction="good with comment", "good", Satisfaction)
| eval Satisfaction = if(Satisfaction="bad with comment", "bad", Satisfaction)
| chart  count(Satisfaction) over _time span=1mon by Satisfaction usenull=f useother=f   
| appendcols  
[ | search (index="A" OR index="B") 
| chart count(Level) over _time span=1mon by Level usenull=f useother=f ]

 where Level is from index A and Satisfaction is from index B. The chart like this:

Screenshot 2023-07-20 171307.png

I tried to wrap your suggestions in the appendcols cause this is column chart part where I want to reverse the order  but it seemed won't work. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

appendcols will sort the column names again.

Try it outside the appendcols

(index="A" OR index="B")  
| eval Satisfaction = if(Satisfaction="good with comment", "good", Satisfaction)
| eval Satisfaction = if(Satisfaction="bad with comment", "bad", Satisfaction)
| chart  count(Satisfaction) over _time span=1mon by Satisfaction usenull=f useother=f   
| appendcols  
[ | search (index="A" OR index="B") 
| chart count(Level) over _time span=1mon by Level usenull=f useother=f ]
| transpose 0 header_field=_time column_name=Level
| reverse
| transpose 0 header_field=Level column_name=_time

itnewbie
Explorer

Thank you. It worked. 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...