Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort column headers in timechart?

HeinzWaescher
Motivator
‎12-04-2013 02:40 AM

Hi,

I've got a timechart with several columns. The headers of these columns are numbers (0,1,2,3... etc) and I would like to sort the columns ascending. With the sort command it doesn't work, perhaps somebody can help me here 🙂

Thanks in advance

Heinz

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 04:23 AM

Fields can be "sorted" using the fields command.

your_search | fields col0 col1 col2 col3 col4 col5

Per http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio..., you may not have fields that begin with 0-9.

Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.

=EDIT=

Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:

your_search | eval tt = case(X<10,"00".X,X<100,"0".X,1=1,X) | timechart count by tt

Add additional case statements for each increase in the tens place, and make sure the padding is correct.

View solution in original post

Reply
Solved! Jump to solution

chakuttha
Explorer
‎10-26-2022 07:33 PM

Thank you so much.

 

Best Regards,

CR

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 04:23 AM

Fields can be "sorted" using the fields command.

your_search | fields col0 col1 col2 col3 col4 col5

Per http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio..., you may not have fields that begin with 0-9.

Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.

=EDIT=

Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:

your_search | eval tt = case(X<10,"00".X,X<100,"0".X,1=1,X) | timechart count by tt

Add additional case statements for each increase in the tens place, and make sure the padding is correct.

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 08:52 AM

If this has answered your question, please mark it accepted. Thanks!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 08:14 AM

The "." is combining the string "0" with the value of X. The last pair makes sure that anything not matching in the case statement will assign the value of X to the field "tt", to make sure they are all there.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎12-04-2013 07:55 AM

This seems to work fine, thanks!

To get sure, that I understand what I'm doing here:
Could you explain why are we using a "dot" in the the Y argument? And what's the use last pair "(1=1,X)?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 07:15 AM

See edit above.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎12-04-2013 05:09 AM

hi,

thanks for your answer. The headers are values of a field "X", which I create during my search. The command looks like this:

| timechart span=1d dc(user) by X

So it's not about sorting fields, but sorting the values of field X (which are the column headers in the shown chart).

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...