Splunk Search
Highlighted

How to specify the order of fields legend in a chart?

Explorer

I created a search query that returns a set of database alerts which contains a field called alert. The field contains text values such as alert_15s, alert_120s, etc

I am building a stacked chart which currently display these alerts in this order:

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

How can I change the order of the fields/legends to be this way:

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

Thanks, Jean

Tags (3)
Highlighted

Re: How to specify the order of fields legend in a chart?

Explorer

This is the solution I have found for these type of problems.

This provides both a tabular and sorted results by month, day, and alert types.

* sourcetype="sybase_alert" NOT alert="alert_error" NOT alert="alert_network"
| stats 
count(eval(alert="alert_15s")) as a_015,
count(eval(alert="alert_60s")) as a_060,
count(eval(alert="alert_120s")) as a_120,
count(eval(alert="alert_300s")) as a_300,
count(eval(alert="alert_600s")) as a_600,
count(eval(alert="alert_deadlock")) as deadlock,

by date_month, date_mday | sort date_month, date_mday
0 Karma
Highlighted

Re: How to specify the order of fields legend in a chart?

SplunkTrust
SplunkTrust

If you are graphing something and your legend values are coming out:

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

and you want the legend values to be in this order:

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

it's dead simple. Take whatever search was generating the order you didnt want, and tack on a fields clause to reorder them.

<your search> | fields _* * alert_15s alert_60s alert_120s alert_180s alert_300s alert_600s

The FlashChart module just puts up legend items in the order it gets them, so all you have to do is change the order with fields or table

The little wildcard terms are telling splunk to put all the hidden 'underscore' columns first, then any other columns, and then finally end the sequence with the specified columns. If you'd rather specify the columns explicitly you can of course do that. Note that the fields clause seems to damage timechart now, in that the _time field can get removed if you leave off _* or _time...

Highlighted

Re: How to specify the order of fields legend in a chart?

Contributor

This is all very fine if you know what the fields will be.
But what about inverting the order of fields dynamically?
"sort" doesn't work.

0 Karma