Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Column Chart - Sorting months chronologically and not alphabetically

DDewarSplunk
New Member
‎12-19-2017 03:08 AM

Morning Splunk Gurus

Can you tell me what is the simplest way of arranging months into order of date rather than alphabetical is?
Here is a link to my chart

https://imgur.com/a/g8nor

Base Search.....
| chart count over date_month by Status

Many Thanks

D

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nikita_p
Contributor
‎12-19-2017 03:48 AM

Hi,
You can try using timechart instead of chart command
....| timechart values(status)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-19-2017 04:11 AM

If you don't mind using date numbers instead of date names:

*|eval dateM=strftime(_time,"%m")| chart count over dateM by Status |sort -dateM
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

DDewarSplunk
New Member
‎12-19-2017 04:15 AM

Yeah that could work I guess

0 Karma
Reply
Solved! Jump to solution
Solution

nikita_p
Contributor
‎12-19-2017 03:48 AM

Hi,
You can try using timechart instead of chart command
....| timechart values(status)

0 Karma
Reply
Solved! Jump to solution

DDewarSplunk
New Member
‎12-19-2017 04:01 AM

Thanks Nikita

I should have said I have 2 types of states....lets say "Good" and "Bad" and I get a value for each when using | chart count over date_month by Status - like below,

When I use ....| timechart values(status) - these good and bad values are not there and so my chart has nothing to show

date_month Good Bad
Dec 20 5
Nov 25 30
Oct 9 7

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-19-2017 04:08 AM

Hi,
Is date_month is the field in your events?

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-19-2017 04:17 AM

Also is date included in your logs?
And if good and bad are fields in your logs, you will have to do
..|timechart values(good) AS good values(bad) AS bad

0 Karma
Reply
Solved! Jump to solution

DDewarSplunk
New Member
‎12-19-2017 04:30 AM

So the field is "Status" and the 2 values are Good and Bad

So for Decembers you might have 20 good and 10 bad.....for Nov 15 good and 65 bad etc

I just want to show 3 months and each month should have a 2 bars, each bar showing a value.

Yeah I have _time and date values in logs

Thanks again

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-19-2017 04:47 AM

in which case, this should do it
*| timechart count by status

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

DDewarSplunk
New Member
‎12-19-2017 06:20 AM

Thanks Nick
Thanks nikita

0 Karma
Reply
Solved! Jump to solution

DDewarSplunk
New Member
‎12-19-2017 04:12 AM

Yeah it is

ta

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎12-19-2017 03:43 AM

Hi,
Is date included in your events?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...