Splunk Search

How to reordering the chart columns fields?

kkarthik2
Observer

My chart columns is in time format and its showing each column represent per hours and starts from 00:00:00 to 24:00:00.
But I want to reordering the column from 9:00:00 to 8:00:00.
Example : Required the below format
column1 column2 column3 column4 column5..........................................column23 column 24
X 9:00:00 10:00:00 11:00:00 12:00:00 13:00:00..........................................07:00:00 08:00:00
foo foo1 foo1 foo1 foo1 foo1

but its showing like

              column1    column2         column3        column4    column5..........................................column23    column 24 

X 00:00:00 1:00:00 2:00:00 3:00:00 4:00:00.......................................... 23:00:00 24:00:00
foo foo1 foo1 foo1 foo1 foo1

Mychart command

chart values(foo) by X column

Please provide me the solution

Tags (2)
0 Karma

somesoni2
Revered Legend

If your column names are fixed, you can just issue a table command at the end of your search to change the column ordering. Something like this-

Your base search | chart values(foo) by X column | table X "9:00:00" "10:00:00" "11:00:00" "12:00:00" "13:00:00" .........................................."07:00:00" "08:00:00"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...