Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Ordering Columns Not Working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a column chart and want to order the columns. The above link isn't quite what I am looking for. My search query is as follows, and works all apart from I'd like it ordering.
host="*90*" FeedSource | search Fixture>0 | stats max(_time) As LatestTime By Action | eval Gap=time()-LatestTime | chart last(Gap) by Action`
How can I order the fields such as CACHE_INSERT CACHE_UPDATE etc?
Many thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure this will work, but try putting the table command at the end of your search, listing the fields in the order that you want them to appear. Be sure to list them all!
host="*90*" FeedSource Fixture>0
| stats max(_time) As LatestTime By Action
| eval Gap=time()-LatestTime
| chart last(Gap) as lastGap by Action
| table CACHE_INSERT CACHE_UPDATE
I do see some problems with this. First time() is the current wall clock time - even if you want the "current" time, I would use now(). now() is when the search began, and so it will be consistent for all events in this search. But time() will vary based on how long this search takes to run.
The second problem is that your table command must list all the values of Action. If these change, then your search must be updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure this will work, but try putting the table command at the end of your search, listing the fields in the order that you want them to appear. Be sure to list them all!
host="*90*" FeedSource Fixture>0
| stats max(_time) As LatestTime By Action
| eval Gap=time()-LatestTime
| chart last(Gap) as lastGap by Action
| table CACHE_INSERT CACHE_UPDATE
I do see some problems with this. First time() is the current wall clock time - even if you want the "current" time, I would use now(). now() is when the search began, and so it will be consistent for all events in this search. But time() will vary based on how long this search takes to run.
The second problem is that your table command must list all the values of Action. If these change, then your search must be updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would it make sense to use the stats command instead of the chart command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry - didn't know this was a RT search - then time() IS a better choice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, seems to have had the same effect as in the link I posted in my question. Also using now() in a real-time search causes the results to gradually move into greater negative values.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
