Solved: How can I sort the order of my sources to appear i...

MichaelPriest · ‎07-22-2015

Hoping someone can help me out. This is my search:

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | fields - Total

And it returns this:

Currently each column is a different source, so 3 in total, called May 2015, June 2015, July 2015.

The problem that i have is that on my chart, it's displaying as July 2015, June 2015, May 2015.

How can i alter the search so it's displaying correctly?

somesoni2 · ‎07-24-2015

This should do the trick

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | table Business_Service [| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source | eval epoch=strptime(source,"%B %Y") | sort epoch asc | stats list(source) as source delim="," | nomv source | return $source]

View solution in original post

somesoni2 · ‎07-24-2015

This should do the trick

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | table Business_Service [| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source | eval epoch=strptime(source,"%B %Y") | sort epoch asc | stats list(source) as source delim="," | nomv source | return $source]

woodcock · ‎07-24-2015

You can use fields to manually reorder them OR you can create another field, sort by it, and then remove it like this

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total | eval Time=strptime(Business_Service, "%B %Y") | sort 0 Time | fields - Time

senthilgoa · ‎07-22-2015

Use the search below:

index=win_srv_perf host=host  (source="Perfmon:FreeDiskSpace" OR source="Perfmon:LogicalDisk" OR source="Perfmon:LocalNetwork") |eval Time = strftime(_time,"%Y_%m_%B") | chart count by source Time | addtotals | sort -Total

|eval Time = strftime(_time,"%Y_%m_%B") you get
2015_05_May
2015_06_June

2015_07_July

now you get correct order

MichaelPriest · ‎07-22-2015

This didn't work i'm afraid. It needs to be by source and business_service in the chart command. Any other suggestions?

senthilgoa · ‎07-22-2015

instead of source and business_service i used source and Time. you will change according to your fields

MichaelPriest · ‎07-22-2015

Yes i tried your way and it ordered the sources correctly, i.e. May June July. But it only gave me a overall total for each source. I want to see each source by business_service. it will be broken down by 3:

for each source get the total count by business_service and order it by Time (so it displays it as May June July)

If i need to give more clarity let me know 🙂

thanks

MichaelPriest · ‎07-22-2015

The search has changed to:

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total

How can I sort the order of my sources to appear in my chart?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!