Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Days in Alphabetical Order but need to be in day order..Tried using documentation advice but still won't work

zd00191
Communicator
‎07-30-2015 06:37 PM

I have the following search that creates a bar chart with the days of the week on the vertical axis. THe days are in alphabetical order and I need them to be in order of the week to date so Sunday Monday tuesday wednesday thursday friday.

index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="*" job_status=SUCCESS OR job_status=FAILURE OR job_status=RESTART OR job_status="TERMINATED" |stats count(JOB_NAME) as "Number of Jobs" by date_wday,job_status |eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="weekend",6) | sort sort_field | fields - sort_field |xyseries date_wday,job_status,"Number of Jobs"

Please help! Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-30-2015 07:03 PM

Try this:

index=ko_autosys AND sourcetype=autosys_applog_scheduler_events AND JOB_NAME="*"
AND (host="usatlb98" OR host="usatlb91") 
AND (job_status="SUCCESS" OR job_status="FAILURE" OR job_status="RESTART" OR job_status="TERMINATED")
| stats count(JOB_NAME) as "Number of Jobs" BY date_wday job_status
| xyseries date_wday,job_status,"Number of Jobs"
| eval sort_field = case(date_wday=="monday",    1,
                         date_wday=="tuesday",   2,
                         date_wday=="wednesday", 3,
                         date_wday=="thursday",  4,
                         date_wday=="friday",    5,
                         date_wday=="saturday",  6,
                         date_wday=="sunday",    7)
| sort 0 sort_field
| fields - sort_field

View solution in original post

Reply
Solved! Jump to solution

aschneps
Engager
‎11-20-2015 01:41 AM

Hi all,

for me and my needs a simpler way worked fine for me, just in regards or sorting Monday - Sunday in the order I like

Try this:

...|chart count(yourfiled) by date_hour date_wday | table date_hour, monday, thuesday,wednesday,thursday,friday,saturday,sunday | sort date_hour

Hope this helps everyone targeting the same problem.

Reply
Solved! Jump to solution

gavinliston
Engager
‎01-15-2018 09:13 AM

I downvoted this post because did not work

0 Karma
Reply
Solved! Jump to solution

bgstein
Path Finder
‎09-28-2018 11:55 AM

Worked for me and gave me just what I wanted. Thanks! Albeit for a simpler search.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-30-2015 07:03 PM

Try this:

index=ko_autosys AND sourcetype=autosys_applog_scheduler_events AND JOB_NAME="*"
AND (host="usatlb98" OR host="usatlb91") 
AND (job_status="SUCCESS" OR job_status="FAILURE" OR job_status="RESTART" OR job_status="TERMINATED")
| stats count(JOB_NAME) as "Number of Jobs" BY date_wday job_status
| xyseries date_wday,job_status,"Number of Jobs"
| eval sort_field = case(date_wday=="monday",    1,
                         date_wday=="tuesday",   2,
                         date_wday=="wednesday", 3,
                         date_wday=="thursday",  4,
                         date_wday=="friday",    5,
                         date_wday=="saturday",  6,
                         date_wday=="sunday",    7)
| sort 0 sort_field
| fields - sort_field
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...