Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort column headers in timechart?

HeinzWaescher
Motivator
‎12-04-2013 02:40 AM

Hi,

I've got a timechart with several columns. The headers of these columns are numbers (0,1,2,3... etc) and I would like to sort the columns ascending. With the sort command it doesn't work, perhaps somebody can help me here 🙂

Thanks in advance

Heinz

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 04:23 AM

Fields can be "sorted" using the fields command.

your_search | fields col0 col1 col2 col3 col4 col5

Per http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio..., you may not have fields that begin with 0-9.

Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.

=EDIT=

Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:

your_search | eval tt = case(X<10,"00".X,X<100,"0".X,1=1,X) | timechart count by tt

Add additional case statements for each increase in the tens place, and make sure the padding is correct.

View solution in original post

Reply
Solved! Jump to solution

chakuttha
Explorer
‎10-26-2022 07:33 PM

Thank you so much.

 

Best Regards,

CR

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 04:23 AM

Fields can be "sorted" using the fields command.

your_search | fields col0 col1 col2 col3 col4 col5

Per http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio..., you may not have fields that begin with 0-9.

Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.

=EDIT=

Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:

your_search | eval tt = case(X<10,"00".X,X<100,"0".X,1=1,X) | timechart count by tt

Add additional case statements for each increase in the tens place, and make sure the padding is correct.

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 08:52 AM

If this has answered your question, please mark it accepted. Thanks!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 08:14 AM

The "." is combining the string "0" with the value of X. The last pair makes sure that anything not matching in the case statement will assign the value of X to the field "tt", to make sure they are all there.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎12-04-2013 07:55 AM

This seems to work fine, thanks!

To get sure, that I understand what I'm doing here:
Could you explain why are we using a "dot" in the the Y argument? And what's the use last pair "(1=1,X)?

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-04-2013 07:15 AM

See edit above.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎12-04-2013 05:09 AM

hi,

thanks for your answer. The headers are values of a field "X", which I create during my search. The command looks like this:

| timechart span=1d dc(user) by X

So it's not about sorting fields, but sorting the values of field X (which are the column headers in the shown chart).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...