Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to specify the order of fields legend in a chart?

jdagenais
Explorer
‎12-08-2010 04:30 PM

I created a search query that returns a set of database alerts which contains a field called alert. The field contains text values such as alert_15s, alert_120s, etc

I am building a stacked chart which currently display these alerts in this order:

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

How can I change the order of the fields/legends to be this way:

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

Thanks, Jean

Tags (3)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-05-2011 09:04 PM

If you are graphing something and your legend values are coming out: 

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

and you want the legend values to be in this order: 

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

it's dead simple. Take whatever search was generating the order you didnt want, and tack on a fields clause to reorder them. 

<your search> | fields _* * alert_15s alert_60s alert_120s alert_180s alert_300s alert_600s

The FlashChart module just puts up legend items in the order it gets them, so all you have to do is change the order with fields or table

The little wildcard terms are telling splunk to put all the hidden 'underscore' columns first, then any other columns, and then finally end the sequence with the specified columns. If you'd rather specify the columns explicitly you can of course do that. Note that the fields clause seems to damage timechart now, in that the _time field can get removed if you leave off _* or _time...

Reply

sansay
Contributor
‎06-05-2013 04:54 PM

This is all very fine if you know what the fields will be.
But what about inverting the order of fields dynamically?
"sort" doesn't work.

0 Karma
Reply

jdagenais
Explorer
‎12-11-2010 10:10 AM

This is the solution I have found for these type of problems.

This provides both a tabular and sorted results by month, day, and alert types.

* sourcetype="sybase_alert" NOT alert="alert_error" NOT alert="alert_network"
| stats 
count(eval(alert="alert_15s")) as a_015,
count(eval(alert="alert_60s")) as a_060,
count(eval(alert="alert_120s")) as a_120,
count(eval(alert="alert_300s")) as a_300,
count(eval(alert="alert_600s")) as a_600,
count(eval(alert="alert_deadlock")) as deadlock,

by date_month, date_mday | sort date_month, date_mday
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...