Hello,
I'm trying to display a graph of the my Splunk applications by usage, highest to lowest within a given time period. Can I sort so I can see highest on the left to lowest over say 7 days. This is what I have now:
index=_internal source=*access.log GET sourcetype=splunk_web_access
| search "/app/"
| rex field=_raw "\/app\/(?\S+)\/"
| timechart span=1d count by appName usenull=f useother=f
| fields - launcher, search
I tried sorting by appName, count etc but no change.
here is what the current timechart looks like:
Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:
index=_internal source=*access.log GET sourcetype=splunk_web_access
| search "/app/"
| rex field=_raw "\/app\/(?<appName>\S+)\/"
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column
| sort -count
Bye.
Giuseppe
Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:
index=_internal source=*access.log GET sourcetype=splunk_web_access
| search "/app/"
| rex field=_raw "\/app\/(?<appName>\S+)\/"
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column
| sort -count
Bye.
Giuseppe
What you are asking for doesn't make much sense to me. timechart
is charting over a period of time... that is what determines left vs right.
I don't believe you can have each day sort from highest to lowest, retaining color...That would lose the visual anchoring that tells you which color orange is which series, and multiple oranges or blues would end up next to each other, making it even more difficult to read.
You might consider switching to a line chart rather than a bar chart, since with this data that would be more understandable.
Thank you both. Appreciate the feedback.
I was thinking it would be visually easier to use a bar chart that showed me the highest to lowest, left to right within any given day. But the line chart makes sense.
Cheers,
Patrick