Splunk Search

Need to populate recent time value at the column left and oldest time towards right using chart command

New Member

Hello Experts,

We had created splunk dashboard for monitoring automation tests which is triggered at Jenkins. Below is the dashboard view which we created and kindly help here in getting the time field to show latest value in the left and currently it was showing oldest value in the left.

Kindly help here in sharing your valuable inputs.


Tags (2)
0 Karma

Ultra Champion
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2d@m"), relative_time(_time,"@m"))
| makecontinuous span=1m
| eval steps="step".(random() % 7 + 1)
| bin span=3h _time
| timechart limit=0 count by steps
| eval step=strftime(_time,"%Y-%m-%dT%H:%M:%SZ") 
| table step*
| reverse
| transpose 0 header_field=step column_name=steps

Hi folks,
try reverse

0 Karma


@arunrajamani can you please refer to one of my older Answer on similar lines

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hello nike,

Thanks for your reply.
I tried this but not working.
I need a solution with respect to chart command only so that my view shouldn't change.

Kindly help!!

0 Karma

New Member

Steps 19/11-15:00 19/11-21:00 20/11-09:00 20/11-12:00
Step1 P P P F
Step2 P P P S
Step3 P P P S
Step4 P P P S
Step5 P P P S
Step6 P P P S
Step7 P P P P

0 Karma

New Member

Hello Miller,

I tried reverse command aswell but not worked. Kindly help me some other way using the chart command

0 Karma


Does the reverse command help you accomplish this?

0 Karma

New Member

Query used:

Below is the query used to generate this dashboard.

|spath ​
|rename triggered-at as StartTime​
|spath path=scenarioData{} ​
| mvexpand scenarioData{} ​
| spath input=scenarioData{} ​

|rename environment as Environment, "business scenario" as BusinessScenario,steps{}.fullName as Steps,steps{}.status as Status steps{}.steptime as StepTime steps{}.stepduration as Duration evidenceURL as Evidence​

|eval string1=mvzip(Steps,Status,"sep_")​
|mvexpand string1​
|rex field=string1 "(?.)sep_"​
|rex field=string1 "sep_(?.

|eval Status = if('Status'="passed","P",if('Status'="failed","F",if('Status'="Pass","P",if('Status'="Fail","F",if('Status'="Skipped","S",if('Status'="skipped","S",'Status'))))))​
​|eval epoche=strptime(StartTime,"%Y-%m-%dT%H:%M:%SZ")​
|eval c_time=strftime(epoche,"%d/%m-%H:00")​
| search Environment="sit" AND BusinessScenario="BusinessScenario1" AND application="" AND type=""​​
| table Steps Status c_time StepTime Duration Evidence​
| chart values(Status) by Steps,c_time

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...