Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Sort by time in a chart with time header names
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dojiepreji
Path Finder
05-10-2019
01:48 AM
Hi,
I have a search table that aims to show the inflow of tickets for a time range.
Here is what it looks like...
Hour | Apr-18 | Apr-19 | Aug-18 | Dec-18
0:00 2 3 5 3
1:00 2 13 2 1
Here is the search for this table...
index=_internal
| bin _time span=1h
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| stats count(ticketNumber) as inflow values(hour) as hour values(monthYear) as monthYear by _time
| chart limit=0 sum(inflow) as inflow over hour by monthYear
I want to sort my columns by date, (Apr-18, Aug-18, Dec-18, Apr-19). I cannot use "fields ..." because the user is free to input the time range that the table will display.
Any help would be appreciated. Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dojiepreji
Path Finder
05-10-2019
02:30 AM
I solved it by appending a "-01" on monthYear and then transposing the chart.
index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| transpose 0 column_name="Time" header_field="monthYear"
| search NOT Time = "date*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dojiepreji
Path Finder
05-10-2019
02:30 AM
I solved it by appending a "-01" on monthYear and then transposing the chart.
index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| transpose 0 column_name="Time" header_field="monthYear"
| search NOT Time = "date*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
05-10-2019
01:56 AM
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
