Dashboards & Visualizations

Visualization in chart- How to make first new and then closed?

Vish
Explorer

I have created a bar chart with y axis of status count which are new and closed but its displaying like first closed bar block then new bar block. But now i have it to be first new and then closed. How to do it?

Vish_0-1679310558387.png

 

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Columns are displayed in the order they appear in the table - these are normally sorted alphabetically / lexicographically. You should rename your your series so that they are in the order you want them, generate the chart statistics, then rename them back to the names you want.

0 Karma

Vish
Explorer

but how can u explain clearly ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Given that you haven't shared your events or your current SPL, I have made some results up to demonstrate what I mean. You can study the technique and apply it to your scenario.

Firstly, here is a generated chart similar to your example:

| makeresults count=100
| eval status=mvindex(split("Closed,Open",","),random()%2)
| bin _time span=1d
| chart count by _time status

Here are the modifications to switch the order of the columns

| makeresults count=100
| eval status=mvindex(split("Closed,Open",","),random()%2)
| bin _time span=1d
| eval status=case(status=="Closed","2:".status,status=="Open","1:".status)
| chart count by _time status
| transpose 0 column_name=status header_field=_time
| eval status=mvindex(split(status,":"),1)
| transpose 0 column_name=_time header_field=status
0 Karma

Vish
Explorer

This can be used when the open and closed are values of a column 

but in my case its a week, open and closed are three different columns and in which open column and closed has the count of each week so I can't use this method

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps it would be useful if you shared what SPL you do have rather than making us guess? Also, some sample events would be useful too.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...