Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to customize the order of fields in the legend for a stacked column chart?

splunkrocks2014
Communicator
‎11-09-2016 10:57 AM

Hi. I have a stacked column chart with stacked. The end of the search is the following:

 | chart count over fields by status

I think by default, the legend is displayed by alphabetical order based on the status name. Is it possible to customize the order? For instance, I have status with a,b,c,d,and e, can I sort the order as a, c, e, d, b?

Thanks.

Reply

Kenshiro70
Path Finder
‎06-21-2018 08:33 AM

Use the fields command, like so:

| chart count over serverType by status
| fields serverType a c e d b

(I changed the name from "fields" in the original example to "serverType" to avoid confusion.)

Note that depending on the result set, you might need to use transpose or xyseries to move the data fields into columns.

Reply

woodcock
Esteemed Legend
‎04-03-2017 01:17 AM

Yes, you need to prepend the appropriate number of spaces to each so that the names will be alphabetically in the order that you desire. When splunk renders the names of each, the spaces will be invisible. So in your case, like this:

| chart count over fields by status | rename a AS "    a" c AS "   c" e AS "  e" d AS " d"
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-09-2016 06:30 PM

Sure. We typically achieve this with an eval if condition that affixes a number to the front like this.

| eval status=if(status=="a","1.a",if(status=="c","2.c","else"))

You could do this with if or case eval functions and you might need to combine it with the match eval function so you can match based on regex:

 | eval status=if(match(status,"[aA]"),"1.a",if(match(status,"[cC]"),"2.c","else"))

or like this but replacing {regex} with a regex that matches what you're looking for:

 | eval status=if(match(status,"{regex}"),"1.a",if(match(status,"{regex}"),"2.c","else"))
Reply

jkat54
SplunkTrust
SplunkTrust
‎11-10-2016 06:45 PM

Yep, only method without numbers or letters is custom JS or css or maybe both. Would only work for specific data and I'd only recommend it in narrow circumstances however.

0 Karma
Reply

splunkrocks2014
Communicator
‎11-10-2016 10:40 AM

That works as expected, but the status name starts with a number. I guess that's impossible to remove the number.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...