Splunk Search

How can I sort the order of my sources to appear in my chart?

MichaelPriest
Communicator

Hoping someone can help me out. This is my search:

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | fields - Total

And it returns this:
alt text

Currently each column is a different source, so 3 in total, called May 2015, June 2015, July 2015.

The problem that i have is that on my chart, it's displaying as July 2015, June 2015, May 2015.

How can i alter the search so it's displaying correctly?

Tags (4)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should do the trick

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | table Business_Service [| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source | eval epoch=strptime(source,"%B %Y") | sort epoch asc | stats list(source) as source delim="," | nomv source | return $source]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This should do the trick

[| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source] search Type="Vuln" Severity="4" OR Severity="5"| chart count by Business_Service source | addtotals | sort -Total | table Business_Service [| metadata type=sources index="test_inputs" | search source="GAL Servers ALL*" | sort recentTime desc | head 3 | fields source | eval epoch=strptime(source,"%B %Y") | sort epoch asc | stats list(source) as source delim="," | nomv source | return $source]

woodcock
Esteemed Legend

You can use fields to manually reorder them OR you can create another field, sort by it, and then remove it like this

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total | eval Time=strptime(Business_Service, "%B %Y") | sort 0 Time | fields - Time
0 Karma

senthilgoa
Engager

Use the search below:

index=win_srv_perf host=host  (source="Perfmon:FreeDiskSpace" OR source="Perfmon:LogicalDisk" OR source="Perfmon:LocalNetwork") |eval Time = strftime(_time,"%Y_%m_%B") | chart count by source Time | addtotals | sort -Total

|eval Time = strftime(_time,"%Y_%m_%B") you get
2015_05_May
2015_06_June

2015_07_July

now you get correct order

0 Karma

MichaelPriest
Communicator

This didn't work i'm afraid. It needs to be by source and business_service in the chart command. Any other suggestions?

0 Karma

senthilgoa
Engager

instead of source and business_service i used source and Time. you will change according to your fields

0 Karma

MichaelPriest
Communicator

Yes i tried your way and it ordered the sources correctly, i.e. May June July. But it only gave me a overall total for each source. I want to see each source by business_service. it will be broken down by 3:

for each source get the total count by business_service and order it by Time (so it displays it as May June July)

If i need to give more clarity let me know 🙂

thanks

0 Karma

MichaelPriest
Communicator

The search has changed to:

index="test_inputs" source="GAL Servers ALL*" Type="Vuln" (Severity="4" OR Severity="5")| chart count by Business_Service source | addtotals | sort -Total | fields - Total
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...