Splunk Search

Sort by time in a chart with time header names

Path Finder

Hi,

I have a search table that aims to show the inflow of tickets for a time range.

Here is what it looks like...

Hour     |     Apr-18     |     Apr-19     |     Aug-18     |     Dec-18
0:00              2                 3               5                3
1:00              2                13               2                1

Here is the search for this table...

index=_internal
| bin _time span=1h
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| stats count(ticketNumber) as inflow values(hour) as hour values(monthYear) as monthYear by _time
| chart limit=0 sum(inflow) as inflow over hour by monthYear

I want to sort my columns by date, (Apr-18, Aug-18, Dec-18, Apr-19). I cannot use "fields ..." because the user is free to input the time range that the table will display.

Any help would be appreciated. Thank you.

Tags (5)
1 Solution
Path Finder

I solved it by appending a "-01" on monthYear and then transposing the chart.

index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| search NOT Time = "date*"
Path Finder

I solved it by appending a "-01" on monthYear and then transposing the chart.

index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| search NOT Time = "date*"
Champion
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...