Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to chronologically sort headers in a table?

ASISH_9
Engager
‎12-09-2016 02:44 AM

I have the following table

ApplicationGroup          0-10        10-20      101-150     151-200     20-30       201-300      30-35     310-340

ABB                       1           3          5           3           6           2            8         2
avv                       6           8          8           8           5           9            3         7
FFD                       3           6          6           3           90          11           55        55

The number range that is shown is the Band and the numbers are basically the hours. I have created this using xyseries. As you can see the number ranges are not in order. Even if i apply sort, they are not coming in chronological order. Can we sort the number range header? If yes, how??

0 Karma
Reply

niketn
Legend
‎12-10-2016 12:56 PM

Option 1
You will have to prefix your ApplicationGroup values with "1. 0-10", "2. 10-20", "3. 20-30" etc.

your search | replace "0-10" with "1.0-10" in ApplicationGroup | replace "20-30" with "2. 20-30" in ApplicationGroup | ...

Option 2
If this works you can actually define your own lookup and map "0-10" to "1. 0-10". For example, if you create a lookup date_hour_chrono like the following example, you can use the query give below:

Date_Hour, Date_Hour_Chrono
"0-10","1. 0-10"
"10-20","2. 10-20"
"20-30","3. 20-30"
...
...

your search | lookup date_hour_chrono Date_Hour as Application_Group OUTPUT Date_Hour_Chrono | your remaining search

Option 3
One more option that you might have provided your query uses actual date_hour field extracted by Splunk from your event timestamp then you can feed the same to Splunk Punchcard visualization which plots Heat map across time series in both x and y axis and arranges according to time field selected like date_hour, date_wday etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sundareshr
Legend
‎12-09-2016 06:36 AM

Please share your query

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...