Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sort highest to lowest over time with timechart

patrick_okeeffe
Engager
‎11-06-2017 03:47 PM

Hello,

I'm trying to display a graph of the my Splunk applications by usage, highest to lowest within a given time period. Can I sort so I can see highest on the left to lowest over say 7 days. This is what I have now:

index=_internal source=*access.log GET sourcetype=splunk_web_access
| search "/app/"
| rex field=_raw "\/app\/(?\S+)\/"
| timechart span=1d count by appName usenull=f useother=f
| fields - launcher, search

I tried sorting by appName, count etc but no change.

here is what the current timechart looks like:
alt text

Preview file
8 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 12:05 AM

Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:

index=_internal source=*access.log GET sourcetype=splunk_web_access 
| search "/app/" 
| rex field=_raw "\/app\/(?<appName>\S+)\/" 
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column 
| sort -count

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 12:05 AM

Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:

index=_internal source=*access.log GET sourcetype=splunk_web_access 
| search "/app/" 
| rex field=_raw "\/app\/(?<appName>\S+)\/" 
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column 
| sort -count

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎11-06-2017 06:01 PM

What you are asking for doesn't make much sense to me. timechart is charting over a period of time... that is what determines left vs right.

I don't believe you can have each day sort from highest to lowest, retaining color...That would lose the visual anchoring that tells you which color orange is which series, and multiple oranges or blues would end up next to each other, making it even more difficult to read.

You might consider switching to a line chart rather than a bar chart, since with this data that would be more understandable.

0 Karma
Reply
Solved! Jump to solution

patrick_okeeffe
Engager
‎11-07-2017 08:59 AM

Thank you both. Appreciate the feedback.

I was thinking it would be visually easier to use a bar chart that showed me the highest to lowest, left to right within any given day. But the line chart makes sense.

Cheers,
Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...