Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sort bars in a chart so that Yesterday's bar is on the left of Today's bar for each value of "over" field

nickrally2009
Explorer
‎03-16-2020 11:31 AM

I have this search, and it works correctly:

 source=foo resource=bar earliest=-1d@d latest=now
 | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
 | rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
 | chart max(usage) over id by Day | where Yesterday!=Today | sort Today

It shows Today's bar on the left of Yesterday's bar for each id. I tried to reverse the order, to show Yesterday's bar on the left of Today's bar for each id, but did not find a way to make it work unless I rename the column(s), e.g. rename "Yesterday" to "Before" and rename "Today" to "Now". It appears that the default behavior is to sort in alphabetical order. Is there a better way to do this?
Thank you

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

niketnilay
Legend
‎03-16-2020 10:18 PM

Try the following.

   source=foo resource=bar earliest=-1d@d latest=now
  | eval Day=if(_time<relative_time(now(),"@d"),"1.Yesterday","2.Today")
  | rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
  | chart max(usage) over id by Day 
  | where "1.Yesterday"!="2.Today"
  | rename "1.Yesterday" as "Yesterday" "2.Today" as Today
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-17-2020 10:16 AM

Add this:

... | rename Yesterday AS " Yesterday"

Adding the space will re-order the fields but be invisible.

Reply
Solved! Jump to solution

nickrally2009
Explorer
‎03-17-2020 12:26 PM

Thank you, that's clever, will keep that in mind.
I accepted niketnilay's answer because it was first. In the end I did not use rename but used 

| table, id, Yesterday, Today
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-17-2020 03:57 PM

Curses, foiled again! Thanks for the UpVote! 😆

0 Karma
Reply
Solved! Jump to solution
Solution

niketnilay
Legend
‎03-16-2020 10:18 PM

Try the following.

   source=foo resource=bar earliest=-1d@d latest=now
  | eval Day=if(_time<relative_time(now(),"@d"),"1.Yesterday","2.Today")
  | rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
  | chart max(usage) over id by Day 
  | where "1.Yesterday"!="2.Today"
  | rename "1.Yesterday" as "Yesterday" "2.Today" as Today
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

nickrally2009
Explorer
‎03-17-2020 07:49 AM

Thank you @niketnilay . I used Before and Now instead of Yesterday and Today respectively as an alternative to renaming, hoped there is a sort variation that could reverse the order instead of renaming.
There is also another way: | table, id, Yesterday, Today

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!