Re: How to Sort JSON Data by field value?

nkavouris · ‎01-24-2025

I have a base query which yield the field result, result can be either "Pass" or "Fail"

Sample query result is attached

How can I create a column chart with the count of passes and fails as different color columns?

here is my current search which yields a column chart with two columns of the same color

index="sampleindex" source="samplesource" | 
search test_name="IR Test" | 
search serial_number="TC-7"|
spath result | 
stats count by result

yuanliu · ‎01-25-2025

Splunk uses different colors for different numeric fields. Your stats command results in only one, count. There are many ways to make a field named Pass and another named Fail. As your output only contains a 2x2, the easiest is probably just transpose the output.

index="sampleindex" source="samplesource" test_name="IR Test" serial_number="TC-7"
| stats count by result
| transpose header_field=result

Additional tips:

Do not use screenshot to share text data. Share raw text.
Do not cascade filters that can be performed in initial index search.
Format Splunk searches with pipe sign at beginning of line, not end. You can enable "Search auto-format" in preferences to help you create readable searches.

How to Sort JSON Data by field value?

chart

fields

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation