Re: How to Sort JSON Data by field value?

nkavouris · ‎01-24-2025

I have a base query which yield the field result, result can be either "Pass" or "Fail"

Sample query result is attached

How can I create a column chart with the count of passes and fails as different color columns?

here is my current search which yields a column chart with two columns of the same color

index="sampleindex" source="samplesource" | 
search test_name="IR Test" | 
search serial_number="TC-7"|
spath result | 
stats count by result

yuanliu · ‎01-25-2025

Splunk uses different colors for different numeric fields. Your stats command results in only one, count. There are many ways to make a field named Pass and another named Fail. As your output only contains a 2x2, the easiest is probably just transpose the output.

index="sampleindex" source="samplesource" test_name="IR Test" serial_number="TC-7"
| stats count by result
| transpose header_field=result

Additional tips:

Do not use screenshot to share text data. Share raw text.
Do not cascade filters that can be performed in initial index search.
Format Splunk searches with pipe sign at beginning of line, not end. You can enable "Search auto-format" in preferences to help you create readable searches.

How to Sort JSON Data by field value?

chart

fields

stats

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Join the Conversation