Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I change the order of the fields in my piechart?

tamduong16
Contributor
‎08-29-2017 08:52 AM

I have the following search:

....| eval "cs"=case(CallRate<=250,"Under 250 kps", CallRate<=500,"Under 500 kps", CallRate<=750,"Under 750 kps", CallRate<=1000,"Under 1000 kps", CallRate<=1250,"Under 1250 kps",  CallRate>1250, "Above 1250 kps") | stats count by cs | eval cs=cs+" -- "+count + "calls"

I want to make the piechart easy for my client to understand but the fields in the piechart organize themselves alphabetically. Is there a way I could sort them by the original way like above? The following is the result piechart:

alt text

I want it to be in this order:
Under 250 kps, Under 500 kps, Under 750 kps, Under 1000 kps, Under1250 kps, Above 1250 kps

Preview file
12 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tamduong16
Contributor
‎08-29-2017 12:37 PM

| eval "cs"=case(CallRate<=250,"1.Under 250kps", CallRate<=500,"2.Under 500kps", CallRate<=750,"3.Under 750kps", CallRate<=1000,"4.Under 1000kps", CallRate<=1250,"5.Under 1250kps", CallRate>1250, "6.Above 1250kps") | stats count by cs| eval "cs"=replace('cs',"^(\d{1}).","")
| eval cs=cs+" -- "+count + "calls"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tamduong16
Contributor
‎08-29-2017 12:37 PM

| eval "cs"=case(CallRate<=250,"1.Under 250kps", CallRate<=500,"2.Under 500kps", CallRate<=750,"3.Under 750kps", CallRate<=1000,"4.Under 1000kps", CallRate<=1250,"5.Under 1250kps", CallRate>1250, "6.Above 1250kps") | stats count by cs| eval "cs"=replace('cs',"^(\d{1}).","")
| eval cs=cs+" -- "+count + "calls"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2017 12:41 PM

If your problem is resolved, please accept an answer (even if it's your own).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-29-2017 10:18 AM

@tamduong16, sequence them in your case() function so that they get automatically sorted. Try the following:

| eval "cs"=case(CallRate<=250,"1. Under 250 kps", CallRate<=500,"2. Under 500 kps", CallRate<=750,"3. Under 750 kps", CallRate<=1000,"4. Under 1000 kps", CallRate<=1250,"5. Under 1250 kps",  CallRate>1250, "6. Above 1250 kps") 
| stats count by cs 
| eval cs=cs+" -- "+count + "calls"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

tamduong16
Contributor
‎08-29-2017 12:36 PM

Thanks for the idea. It works but give me unwanted numeric at the beginning which I could write another eval expression to resolve that and work perfect. Here is the eval expression I added in.

| eval "cs"=case(CallRate<=250,"1.Under 250kps", CallRate<=500,"2.Under 500kps", CallRate<=750,"3.Under 750kps", CallRate<=1000,"4.Under 1000kps", CallRate<=1250,"5.Under 1250kps", CallRate>1250, "6.Above 1250kps") | stats count by cs| eval "cs"=replace('cs',"^(\d{1}).","")
| eval cs=cs+" -- "+count + "calls"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2017 09:41 AM

You can force an order by adding a numeric field to sort against. See this example.

... | eval "cs"=case(CallRate<=250,"Under 250 kps", CallRate<=500,"Under 500 kps", CallRate<=750,"Under 750 kps", CallRate<=1000,"Under 1000 kps", CallRate<=1250,"Under 1250 kps", CallRate>1250, "Above 1250 kps") | eval sortOrder=case(CallRate<=250,1, CallRate<=500,2, CallRate<=750,3, CallRate<=1000,4, CallRate<=1250,5, CallRate>1250, 6) | stats count values(sortOrder) as sortOrder by cs | eval cs=cs+" -- "+count + "calls" | sort sortOrder
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tamduong16
Contributor
‎08-29-2017 10:04 AM

this doesn't work 😞
The fields in the piechart don't get sort and in addition it make everything harder to read.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2017 10:55 AM

Hmm... It works on my laptop under Splunk 6.6.2.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...