Splunk Search

Chart by month still alphabetical

bwindham
Path Finder

Still fighting this after looking at many examples.

Data looks like this:
Kronos,Jun-12,100,Kronos,20120630010101
Kronos,May-12,100,Kronos,20120531010101
Kronos,Apr-12,98.484,Kronos,20120430010101
Fields are App,Month,Uptime,AppOwner,Date.

This search results in alphabetical when using chart: index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Month
Same thing sindex=apps-monthly AND App="Kronos" |sort + _timestamp | chart avg(Uptime) by Month orting by _timestamp:

Not very familiar with eval but looking at examples, that may be what is necessary to get this chart to sort properly.

Can anyone save me some time here?

Tags (4)
0 Karma
1 Solution

Ayn
Legend

Well your "Month" field is just a field containing text. There's no way for Splunk to know that this specific text corresponds to some number, like that May is month number 5, so the only valid way of sorting is alphabetically. What you need to do in order to have months ordered properly is to point Splunk at a field that contains their actual number equivalent. Since you have these events in Splunk I'm assuming you already have valid timestamps for these events from the Date field. You could sort by this field and then use fieldformat to have it displayed with the month only (because it looks like you only have one event per month).

index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=strftime(Date,"%b")

Or because you already have the Month as a string in your event, just

index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=Month

would do.

View solution in original post

bwindham
Path Finder

You put me on the right track....Month was actually mmm-yy. Used this and it worked:

index=apps-monthly AND App="Kronos" | chart avg(Uptime) by _time | fieldformat _time=strftime(_time,"%b-%y") | sort - _time
Thanks.

Ayn
Legend

Awesome. Could you please mark my answer as accepted? Thanks!

0 Karma

Ayn
Legend

Well your "Month" field is just a field containing text. There's no way for Splunk to know that this specific text corresponds to some number, like that May is month number 5, so the only valid way of sorting is alphabetically. What you need to do in order to have months ordered properly is to point Splunk at a field that contains their actual number equivalent. Since you have these events in Splunk I'm assuming you already have valid timestamps for these events from the Date field. You could sort by this field and then use fieldformat to have it displayed with the month only (because it looks like you only have one event per month).

index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=strftime(Date,"%b")

Or because you already have the Month as a string in your event, just

index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=Month

would do.

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...