Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to chronologically sort headers in a table?

ASISH_9
Engager
‎12-09-2016 02:44 AM

I have the following table

ApplicationGroup          0-10        10-20      101-150     151-200     20-30       201-300      30-35     310-340

ABB                       1           3          5           3           6           2            8         2
avv                       6           8          8           8           5           9            3         7
FFD                       3           6          6           3           90          11           55        55

The number range that is shown is the Band and the numbers are basically the hours. I have created this using xyseries. As you can see the number ranges are not in order. Even if i apply sort, they are not coming in chronological order. Can we sort the number range header? If yes, how??

0 Karma
Reply

niketn
Legend
‎12-10-2016 12:56 PM

Option 1
You will have to prefix your ApplicationGroup values with "1. 0-10", "2. 10-20", "3. 20-30" etc.

your search | replace "0-10" with "1.0-10" in ApplicationGroup | replace "20-30" with "2. 20-30" in ApplicationGroup | ...

Option 2
If this works you can actually define your own lookup and map "0-10" to "1. 0-10". For example, if you create a lookup date_hour_chrono like the following example, you can use the query give below:

Date_Hour, Date_Hour_Chrono
"0-10","1. 0-10"
"10-20","2. 10-20"
"20-30","3. 20-30"
...
...

your search | lookup date_hour_chrono Date_Hour as Application_Group OUTPUT Date_Hour_Chrono | your remaining search

Option 3
One more option that you might have provided your query uses actual date_hour field extracted by Splunk from your event timestamp then you can feed the same to Splunk Punchcard visualization which plots Heat map across time series in both x and y axis and arranges according to time field selected like date_hour, date_wday etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sundareshr
Legend
‎12-09-2016 06:36 AM

Please share your query

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...