Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to chronologically sort headers in a table?

ASISH_9
Engager
‎12-09-2016 02:44 AM

I have the following table

ApplicationGroup          0-10        10-20      101-150     151-200     20-30       201-300      30-35     310-340

ABB                       1           3          5           3           6           2            8         2
avv                       6           8          8           8           5           9            3         7
FFD                       3           6          6           3           90          11           55        55

The number range that is shown is the Band and the numbers are basically the hours. I have created this using xyseries. As you can see the number ranges are not in order. Even if i apply sort, they are not coming in chronological order. Can we sort the number range header? If yes, how??

0 Karma
Reply

niketn
Legend
‎12-10-2016 12:56 PM

Option 1
You will have to prefix your ApplicationGroup values with "1. 0-10", "2. 10-20", "3. 20-30" etc.

your search | replace "0-10" with "1.0-10" in ApplicationGroup | replace "20-30" with "2. 20-30" in ApplicationGroup | ...

Option 2
If this works you can actually define your own lookup and map "0-10" to "1. 0-10". For example, if you create a lookup date_hour_chrono like the following example, you can use the query give below:

Date_Hour, Date_Hour_Chrono
"0-10","1. 0-10"
"10-20","2. 10-20"
"20-30","3. 20-30"
...
...

your search | lookup date_hour_chrono Date_Hour as Application_Group OUTPUT Date_Hour_Chrono | your remaining search

Option 3
One more option that you might have provided your query uses actual date_hour field extracted by Splunk from your event timestamp then you can feed the same to Splunk Punchcard visualization which plots Heat map across time series in both x and y axis and arranges according to time field selected like date_hour, date_wday etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sundareshr
Legend
‎12-09-2016 06:36 AM

Please share your query

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...