- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Column Chart - Sorting months chronologically ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Morning Splunk Gurus
Can you tell me what is the simplest way of arranging months into order of date rather than alphabetical is?
Here is a link to my chart
Base Search.....
| chart count over date_month by Status
Many Thanks
D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try using timechart instead of chart command
....| timechart values(status)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't mind using date numbers instead of date names:
*|eval dateM=strftime(_time,"%m")| chart count over dateM by Status |sort -dateM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah that could work I guess
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try using timechart instead of chart command
....| timechart values(status)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Nikita
I should have said I have 2 types of states....lets say "Good" and "Bad" and I get a value for each when using | chart count over date_month by Status - like below,
When I use ....| timechart values(status) - these good and bad values are not there and so my chart has nothing to show
date_month Good Bad
Dec 20 5
Nov 25 30
Oct 9 7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is date_month is the field in your events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also is date included in your logs?
And if good and bad are fields in your logs, you will have to do
..|timechart values(good) AS good values(bad) AS bad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the field is "Status" and the 2 values are Good and Bad
So for Decembers you might have 20 good and 10 bad.....for Nov 15 good and 65 bad etc
I just want to show 3 months and each month should have a 2 bars, each bar showing a value.
Yeah I have _time and date values in logs
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in which case, this should do it
*| timechart count by status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Nick
Thanks nikita
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah it is
ta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is date included in your events?
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
