Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Arrange fields in bar chart in specific order

jangid
Builder
‎11-21-2012 09:35 AM

Search is 

<param name="search">eventtype="metrics" | stats count(eval(JobStatus="JOB.FINISHED")) as JobCompleted, count(eval(JobStatus="JOB.PENDING")) as JobPending by Stage | eval total=(JobCompleted/JobPending)*100 | chart values(total) as "Percentage" by Stage | lookup stage_lookup Stage OUTPUT StageName | fields - Stage | table StageName, Percentage | rename StageName as "Stage Name"</param>

it'll display bar chart in following order

Application - x% graph
System  - x% graph
Online  - x% graph
Report  - x% graph
SOD     - x% graph

I want to change the order to following

Application - x% graph
SOD    - x% graph
Report - x% graph
System - x% graph
Online - x% graph

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎11-21-2012 09:44 AM

You may find a better answer here:
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/sort

but I solve using eval below: (most will recommend case instead of if)
http://docs.splunk.com/Documentation/Splunk/5.0.1/searchreference/eval
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

| eval StageNameNew=if(StageName="Application","1. Application",if(StageName="SOD","2. SOD",if(StageName="Report","3. Report",if(StageName="System","4. System",if(StageName="Online","5. Online","Other or Unknown Stage")))))| table StageNameNew, Percentage | rename StageNameNew as StageName

View solution in original post

Reply
Solved! Jump to solution

Kenshiro70
Path Finder
‎06-21-2018 08:57 AM

Use the fields command, like so:

| table StageName Percentage
| chart max(Percentage) as Percentage by StageName
| transpose column_name="Title" header_field=StageName
| fields Title Application SOD Report System Online

Note that I had to use transpose to move the Percentage values to columns. For timecharts, you wouldn't need to do that.

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎11-21-2012 09:44 AM

You may find a better answer here:
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/sort

but I solve using eval below: (most will recommend case instead of if)
http://docs.splunk.com/Documentation/Splunk/5.0.1/searchreference/eval
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

| eval StageNameNew=if(StageName="Application","1. Application",if(StageName="SOD","2. SOD",if(StageName="Report","3. Report",if(StageName="System","4. System",if(StageName="Online","5. Online","Other or Unknown Stage")))))| table StageNameNew, Percentage | rename StageNameNew as StageName
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-17-2013 06:56 AM

Awesome, glad to help, thanks for marking my answer as the accepted solution.

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-23-2012 04:47 AM

I did it in another way but it was not possible without your above solution.

Thanks

0 Karma
Reply
Solved! Jump to solution

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-23-2015 12:05 PM

Can you post your answer please?

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎11-23-2012 01:32 AM

Thanks jkat54
UI looks very ugly and I don't want to any prefix before Job type.

Is there any other alternate? How Splunk decide the field order?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...