Solved: Re: How to re-arrange a bar chart

jhoang · ‎02-01-2016

Hi,

I would like to sort my bar chart's by the following sequence, (Intensive, Intermediate, Minimal, Moderate). However it is currently being sorted alphabetically (Intensive, Intermediate, Minimal, Moderate.)

Below is my current search function:

index="sdp" Level !="Not Assigned" Urgency="*" | chart count over Level by Urgency | eval Level=if(Level="Intensive", "1. Intensive", if(Level="Intermediate","2. Intermediate", if(Level="Moderate","3. Moderate", if(Level="Minimal", "4. Minimal"

lguinn2 · ‎02-01-2016

Put the eval before the chart, like this

index="sdp" Level !="Not Assigned" Urgency="*" 
| eval Level=if(Level="Intensive", "1. Intensive", 
             if(Level="Intermediate","2. Intermediate", 
              if(Level="Moderate","3. Moderate",
            if(Level="Minimal", "4. Minimal"))))
| chart count by Level Urgency

View solution in original post

somesoni2 · ‎02-03-2016

I don't see any difference in your expected and current sort order. Do you expect Intensive, Intermediate, Moderate, Minimal as final sorting??? If yes, then @Iguinn's answer will give you correct sort order, after you update the expected sequence in that.

jhoang · ‎02-03-2016

Yea, that is correct, but when I ran Inguinn query, I received error message (Error in 'eval' command: The arguments to the 'if' function are invalid.)

chimell · ‎02-02-2016

Hi
try this search code

index="sdp" Level !="Not Assigned" Urgency="*" | chart count over Level by Urgency | eval Level=case(Level=="Intensive", "1. Intensive", Level=="Intermediate","2. Intermediate", Level=="Moderate","3. Moderate", Level=="Minimal", "4. Minimal")

jhoang · ‎02-02-2016

Hi Chimell,

The above query added the values to the different urgency (1,2,3,4) but it is still being arranged in :

1)intensive
2) intermediate
4) Minimal
3) moderate

jhoang · ‎02-03-2016

Hi Chimell,

Any update on this?

lguinn2 · ‎02-01-2016

Put the eval before the chart, like this

index="sdp" Level !="Not Assigned" Urgency="*" 
| eval Level=if(Level="Intensive", "1. Intensive", 
             if(Level="Intermediate","2. Intermediate", 
              if(Level="Moderate","3. Moderate",
            if(Level="Minimal", "4. Minimal"))))
| chart count by Level Urgency

jhoang · ‎02-02-2016

Hi Iguinn,

Another agent is helping me on this item, thank you.

somesoni2 · ‎02-03-2016

Here is same query with case instead of if.

index="sdp" Level !="Not Assigned" Urgency="*"  | eval Level=case(Level="Intensive", "1. Intensive", Level="Intermediate","2. Intermediate",Level="Moderate","3. Moderate", Level="Minimal", "4. Minimal", 1=1, "5. Not defined") | chart count by Level Urgency

Make sure the numbering is as per your need.

jhoang · ‎02-03-2016

it worked!!!! Thank you Somesoni2!!!

How to re-arrange a bar chart

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!