I created a search query that returns a set of database alerts which contains a field called alert. The field contains text values such as alert_15s, alert_120s, etc
I am building a stacked chart which currently display these alerts in this order:
alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s
How can I change the order of the fields/legends to be this way:
alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s
Thanks, Jean
If you are graphing something and your legend values are coming out:
alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s
and you want the legend values to be in this order:
alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s
it's dead simple. Take whatever search was generating the order you didnt want, and tack on a fields clause to reorder them.
<your search> | fields _* * alert_15s alert_60s alert_120s alert_180s alert_300s alert_600s
The FlashChart module just puts up legend items in the order it gets them, so all you have to do is change the order with fields
or table
The little wildcard terms are telling splunk to put all the hidden 'underscore' columns first, then any other columns, and then finally end the sequence with the specified columns. If you'd rather specify the columns explicitly you can of course do that. Note that the fields clause seems to damage timechart now, in that the _time field can get removed if you leave off _* or _time...
This is all very fine if you know what the fields will be.
But what about inverting the order of fields dynamically?
"sort" doesn't work.
This is the solution I have found for these type of problems.
This provides both a tabular and sorted results by month, day, and alert types.
* sourcetype="sybase_alert" NOT alert="alert_error" NOT alert="alert_network"
| stats
count(eval(alert="alert_15s")) as a_015,
count(eval(alert="alert_60s")) as a_060,
count(eval(alert="alert_120s")) as a_120,
count(eval(alert="alert_300s")) as a_300,
count(eval(alert="alert_600s")) as a_600,
count(eval(alert="alert_deadlock")) as deadlock,
by date_month, date_mday | sort date_month, date_mday