Splunk Search

Need to populate recent time value at the column left and oldest time towards right using chart command

New Member

Hello Experts,

We had created splunk dashboard for monitoring automation tests which is triggered at Jenkins. Below is the dashboard view which we created and kindly help here in getting the time field to show latest value in the left and currently it was showing oldest value in the left.

Kindly help here in sharing your valuable inputs.


Tags (2)
0 Karma

Ultra Champion
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2d@m"), relative_time(_time,"@m"))
| makecontinuous span=1m
| eval steps="step".(random() % 7 + 1)
| bin span=3h _time
| timechart limit=0 count by steps
| eval step=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") 
| table step*
| reverse
| transpose 0 header_field=step column_name=steps

Hi folks,
try reverse

0 Karma


@arunrajamani can you please refer to one of my older Answer on similar lines

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hello nike,

Thanks for your reply.
I tried this but not working.
I need a solution with respect to chart command only so that my view shouldn't change.

Kindly help!!

0 Karma

New Member

Steps 19/11-15:00 19/11-21:00 20/11-09:00 20/11-12:00
Step1 P P P F
Step2 P P P S
Step3 P P P S
Step4 P P P S
Step5 P P P S
Step6 P P P S
Step7 P P P P

0 Karma

New Member

Hello Miller,

I tried reverse command aswell but not worked. Kindly help me some other way using the chart command

0 Karma


Does the reverse command help you accomplish this?

0 Karma

New Member

Query used:

Below is the query used to generate this dashboard.

|spath ​
|rename triggered-at as StartTime​
|spath path=scenarioData{} ​
| mvexpand scenarioData{} ​
| spath input=scenarioData{} ​

|rename environment as Environment, "business scenario" as BusinessScenario,steps{}.fullName as Steps,steps{}.status as Status steps{}.steptime as StepTime steps{}.stepduration as Duration evidenceURL as Evidence​

|eval string1=mvzip(Steps,Status,"sep_")​
|mvexpand string1​
|rex field=string1 "(?.)sep_"​
|rex field=string1 "sep_(?.

|eval Status = if('Status'="passed","P",if('Status'="failed","F",if('Status'="Pass","P",if('Status'="Fail","F",if('Status'="Skipped","S",if('Status'="skipped","S",'Status'))))))​
​|eval epoche=strptime(StartTime,"%Y-%m-%dT%H:%M:%SZ")​
|eval c_time=strftime(epoche,"%d/%m-%H:00")​
| search Environment="sit" AND BusinessScenario="BusinessScenario1" AND application="" AND type=""​​
| table Steps Status c_time StepTime Duration Evidence​
| chart values(Status) by Steps,c_time

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...