Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Chart by X but sort by Y

emmby
Engager
‎07-21-2014 09:35 AM

I have a chart that shows the count of users of my app by the version of the app that they're using. It works great.

The only problem is that my version numbers are not alphabetically sortable (2.10.1234 comes after 2.2.2345 chronologically but not alphabetically), so they are not displayed in the proper order along the X axis.

I have a field, called buildnum, that has the correct ordering of the versions. If I display count of users by buildnum, the graph is in the correct order. However, I do not want buildnum in the X axis -- the viewers of my graph have no idea what buildnum is, they want to see the app version.

How can I sort the X axis of a chart by another field which is not displayed in the chart?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎07-21-2014 10:47 AM

You should be able to just include the version number in the initial result, and then throw the build number away when it comes time to create your chart:

... | stats count(user) as "User Count" by buildnum, versionnum | sort buildnum | fields versionnum "User Count"

Alternatively, you can create a CSV lookup file to convert a buildnum to a versionnum and reference it that way:

... | stats count(user) as "User Count" by buildnum | sort buildnum | lookup buildnum_to_versionnum.csv buildnum OUTPUT versionnum | fields versionnum "User Count"

View solution in original post

Reply
Solved! Jump to solution

aweitzman
Motivator
‎07-21-2014 02:04 PM

Then you'll definitely need a lookup. Then you can do something like this:

... | chart count(user) by buildnum, eventType | lookup buildnum_to_clientversion buildnum OUTPUT clientVersion | fields - buildnum | table clientVersion, *

The chart command should order things by buildnum. The lookup will go into the CSV file you've created that maps buildnum to clientVersion, pull out the clientVersion, and add it to the result. The fields command removes the buildnum field from the result, and finally, the table command reorders the fields so that the clientVersion comes first. Now your chart should show properly.

Read about lookups in the Splunk documentation. There are a couple of ways you can do them, so you need to pick the most appropriate way to do it for your environment.

0 Karma
Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎07-21-2014 10:47 AM

You should be able to just include the version number in the initial result, and then throw the build number away when it comes time to create your chart:

... | stats count(user) as "User Count" by buildnum, versionnum | sort buildnum | fields versionnum "User Count"

Alternatively, you can create a CSV lookup file to convert a buildnum to a versionnum and reference it that way:

... | stats count(user) as "User Count" by buildnum | sort buildnum | lookup buildnum_to_versionnum.csv buildnum OUTPUT versionnum | fields versionnum "User Count"

Reply
Solved! Jump to solution

emmby
Engager
‎07-21-2014 01:22 PM

There's one more piece of information that I didn't realize was significant. My chart command currently looks like "chart count(user) by clientVersion, eventType" because I have a few different event types that I'm looking at. It seems that I can't add "buildnum" to the "by" field in stats because there are two fields already there. Is there a workaround for that?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...