Solved: How to sort the month when using the field in char...

sangs8788 · ‎09-03-2018

Hi

Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc

...| chart  max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95

The query shows result in sorted by month name since month is a string. How do i sort by calendar series and display as a chart ? ![alt text][1]

sangs8788 · ‎09-03-2018

I found the answer. This worked

| eval  sort=case(       Month=="January","1",       Month=="February","2",       Month=="March","3",       Month=="April","4",       Month=="May","5",       Month=="June","6",       Month=="July","7",       Month=="August","8",       Month=="Septempber","9",       Month=="October","10",       Month=="November","11",       Month=="December","12")|sort sort |fields - sort

View solution in original post

sangs8788 · ‎09-03-2018

I found the answer. This worked

| eval  sort=case(       Month=="January","1",       Month=="February","2",       Month=="March","3",       Month=="April","4",       Month=="May","5",       Month=="June","6",       Month=="July","7",       Month=="August","8",       Month=="Septempber","9",       Month=="October","10",       Month=="November","11",       Month=="December","12")|sort sort |fields - sort

How to sort the month when using the field in chart over command?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

How to sort the month when using the field in chart over command?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?