Re: How to Sort JSON Data by field value?

nkavouris · ‎01-24-2025

I have a base query which yield the field result, result can be either "Pass" or "Fail"

Sample query result is attached

How can I create a column chart with the count of passes and fails as different color columns?

here is my current search which yields a column chart with two columns of the same color

index="sampleindex" source="samplesource" | 
search test_name="IR Test" | 
search serial_number="TC-7"|
spath result | 
stats count by result

yuanliu · ‎01-25-2025

Splunk uses different colors for different numeric fields. Your stats command results in only one, count. There are many ways to make a field named Pass and another named Fail. As your output only contains a 2x2, the easiest is probably just transpose the output.

index="sampleindex" source="samplesource" test_name="IR Test" serial_number="TC-7"
| stats count by result
| transpose header_field=result

Additional tips:

Do not use screenshot to share text data. Share raw text.
Do not cascade filters that can be performed in initial index search.
Format Splunk searches with pipe sign at beginning of line, not end. You can enable "Search auto-format" in preferences to help you create readable searches.

How to Sort JSON Data by field value?

chart

fields

stats

Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...

It's Customer Success Time at .conf25

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Are you a member of the Splunk Community?