Splunk Search

Chart using span logs does not show the columns in range order

srenou
New Member

Hello,
I am trying to chart some response time and wanted to use the log span as:

index=myIndex "time_value" | chart count by time_ms bins=100 span=2log5

My concern is that Splunk seems to be doing some alphabetical sorting which mixes my span ranges

for example it shows the span in the order of :
0 10-50 1250-6250 250-1250
while I would expect:
0 10-50 250-1250 1250-6250

Thanks for any help.
Stephane

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You can fix this after the fact, like this:

| rename 0 AS "   0" "10-50" AS "  10-50" "250-1250" AS " 250-1250"

Note that 0 has been renamed with 3 leading spaces and 10-50 with just two (and so on until 1250-6250 is not renamed at all, so it has 0 spaces).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can fix this after the fact, like this:

| rename 0 AS "   0" "10-50" AS "  10-50" "250-1250" AS " 250-1250"

Note that 0 has been renamed with 3 leading spaces and 10-50 with just two (and so on until 1250-6250 is not renamed at all, so it has 0 spaces).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.

0 Karma

srenou
New Member

thanks for the proposal, unfortunately that does not seem to work for me as the names are not getting changed with that process. I guess the chart is done before the rename and rename gets no effect. Looking at the splunk sample, http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Chart#9:_Chart_the_average_number_... I am getting a different result as the statistics data are not sorted on my side on my example, so I guess I may have some configuration issue or an invalid release.

0 Karma

woodcock
Esteemed Legend

If you are running a fileds or table command, the fields may be re-sorted. Try stripping off the commands after the chart command to see where the resorting happens and see if you can use a different command or perhaps that command has a keepcolorder option (some commands do).

0 Karma

srenou
New Member

Thanks for the feedback.
unfortunately no. My request is just an index search piped to a chart count by MyCounter span=2log5.

My graph is strangely sorted as well as my statistics as if it is doing alphabetical sorting instead of looking at the ranges.
But that drove me to thinking that I should force the sorting, so adding sort MyCounter that made the trick.
Thanks again.

0 Karma

woodcock
Esteemed Legend

So what exactly was your final search?

0 Karma

srenou
New Member

My final search is:
index=myIndex "time_value" | chart count by time_ms bins=100 span=2log5 | sort time_ms bins

0 Karma

woodcock
Esteemed Legend

You need sort 0, not just sort.

0 Karma

srenou
New Member

Thanks for the feedback, strangely in my case the sort with the value is enough.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...