Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Chart by month still alphabetical
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still fighting this after looking at many examples.
Data looks like this:
Kronos,Jun-12,100,Kronos,20120630010101
Kronos,May-12,100,Kronos,20120531010101
Kronos,Apr-12,98.484,Kronos,20120430010101
Fields are App,Month,Uptime,AppOwner,Date.
This search results in alphabetical when using chart: index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Month
Same thing sindex=apps-monthly AND App="Kronos" |sort + _timestamp | chart avg(Uptime) by Month orting by _timestamp:
Not very familiar with eval but looking at examples, that may be what is necessary to get this chart to sort properly.
Can anyone save me some time here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well your "Month" field is just a field containing text. There's no way for Splunk to know that this specific text corresponds to some number, like that May is month number 5, so the only valid way of sorting is alphabetically. What you need to do in order to have months ordered properly is to point Splunk at a field that contains their actual number equivalent. Since you have these events in Splunk I'm assuming you already have valid timestamps for these events from the Date field. You could sort by this field and then use fieldformat to have it displayed with the month only (because it looks like you only have one event per month).
index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=strftime(Date,"%b")
Or because you already have the Month as a string in your event, just
index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=Month
would do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You put me on the right track....Month was actually mmm-yy. Used this and it worked:
index=apps-monthly AND App="Kronos" | chart avg(Uptime) by _time | fieldformat _time=strftime(_time,"%b-%y") | sort - _time
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome. Could you please mark my answer as accepted? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well your "Month" field is just a field containing text. There's no way for Splunk to know that this specific text corresponds to some number, like that May is month number 5, so the only valid way of sorting is alphabetically. What you need to do in order to have months ordered properly is to point Splunk at a field that contains their actual number equivalent. Since you have these events in Splunk I'm assuming you already have valid timestamps for these events from the Date field. You could sort by this field and then use fieldformat to have it displayed with the month only (because it looks like you only have one event per month).
index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=strftime(Date,"%b")
Or because you already have the Month as a string in your event, just
index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=Month
would do.
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
