Solved: How to sort the month when using the field in char...

sangs8788 · ‎09-03-2018

Hi

Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc

...| chart  max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by cust_id  useother=f limit=40 |sort  -Max, -P95

The query shows result in sorted by month name since month is a string. How do i sort by calendar series and display as a chart ? ![alt text][1]

sangs8788 · ‎09-03-2018

I found the answer. This worked

| eval  sort=case(       Month=="January","1",       Month=="February","2",       Month=="March","3",       Month=="April","4",       Month=="May","5",       Month=="June","6",       Month=="July","7",       Month=="August","8",       Month=="Septempber","9",       Month=="October","10",       Month=="November","11",       Month=="December","12")|sort sort |fields - sort

View solution in original post

sangs8788 · ‎09-03-2018

I found the answer. This worked

| eval  sort=case(       Month=="January","1",       Month=="February","2",       Month=="March","3",       Month=="April","4",       Month=="May","5",       Month=="June","6",       Month=="July","7",       Month=="August","8",       Month=="Septempber","9",       Month=="October","10",       Month=="November","11",       Month=="December","12")|sort sort |fields - sort

How to sort the month when using the field in chart over command?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

How to sort the month when using the field in chart over command?

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement