Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sort the output of chart command

dpatiladobe
Explorer
‎12-03-2019 09:28 AM

I am trying to plot chart by ObjectName , Date by Duration. And wanted to sort them by Date desc and Duration desc. I am not able to get same.

some search .....| eval ObjectName=if(isnull(ObjectName), "Full_Processing_time",ObjectName) |eval Date=strftime(_time,"%d/%m/%y") | eval Duration=round(tonumber(Duration)/1000/60,2) | chart max(Duration) as D by ObjectName,Date | sort 0 D Date | fields - D Date

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 11:03 PM

First of all, you cannot sort by D because this is involved in a 2-dimensional matrix; you can only sort by the X-axis ( Date ) or Y-axis ( ObjectName ) field names (or both). In this case, you would like the the date sorting reversed so that the most recent is on the left instead of the right.
I have done this many times several different ways but I have decided to try something new this time.
Try adding this to the bottom of your existing search:

| fields ObjectName * [| makeresults 
| addinfo
| foreach info_*_time [ bin <<FIELD>> span=1d | eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y") ]
| map search="|gentimes start=$info_min_time$ end=$info_max_time$"
| sort 0 - starttime
| fields starttime
| eval starttime = strftime(starttime, "%m/%d/%Y")
| stats list(starttime) AS search
| nomv search]

Here is a run-anywhere example (try running for Last 7 Days😞

| tstats range(_time) AS Duration WHERE index="_*" AND sourcetype="*splunk*" BY sourcetype _time span=1d
| rename sourcetype AS ObjectName

| rename COMMENT AS "Everything above generates sample data; everything below is your solution."

| eval ObjectName=if(isnull(ObjectName), "Full_Processing_time",ObjectName) 
| eval Duration=round(tonumber(Duration)/1000/60,2)
| eval Date=strftime(_time, "%m/%d/%Y")
| chart limit=0 max(Duration) AS D BY ObjectName Date
| fields ObjectName * [| makeresults 
| addinfo
| foreach info_*_time [ bin <<FIELD>> span=1d | eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y") ]
| map search="|gentimes start=$info_min_time$ end=$info_max_time$"
| sort 0 - starttime
| fields starttime
| eval starttime = strftime(starttime, "%m/%d/%Y")
| stats list(starttime) AS search
| nomv search]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-03-2019 11:03 PM

First of all, you cannot sort by D because this is involved in a 2-dimensional matrix; you can only sort by the X-axis ( Date ) or Y-axis ( ObjectName ) field names (or both). In this case, you would like the the date sorting reversed so that the most recent is on the left instead of the right.
I have done this many times several different ways but I have decided to try something new this time.
Try adding this to the bottom of your existing search:

| fields ObjectName * [| makeresults 
| addinfo
| foreach info_*_time [ bin <<FIELD>> span=1d | eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y") ]
| map search="|gentimes start=$info_min_time$ end=$info_max_time$"
| sort 0 - starttime
| fields starttime
| eval starttime = strftime(starttime, "%m/%d/%Y")
| stats list(starttime) AS search
| nomv search]

Here is a run-anywhere example (try running for Last 7 Days😞

| tstats range(_time) AS Duration WHERE index="_*" AND sourcetype="*splunk*" BY sourcetype _time span=1d
| rename sourcetype AS ObjectName

| rename COMMENT AS "Everything above generates sample data; everything below is your solution."

| eval ObjectName=if(isnull(ObjectName), "Full_Processing_time",ObjectName) 
| eval Duration=round(tonumber(Duration)/1000/60,2)
| eval Date=strftime(_time, "%m/%d/%Y")
| chart limit=0 max(Duration) AS D BY ObjectName Date
| fields ObjectName * [| makeresults 
| addinfo
| foreach info_*_time [ bin <<FIELD>> span=1d | eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y") ]
| map search="|gentimes start=$info_min_time$ end=$info_max_time$"
| sort 0 - starttime
| fields starttime
| eval starttime = strftime(starttime, "%m/%d/%Y")
| stats list(starttime) AS search
| nomv search]
0 Karma
Reply
Solved! Jump to solution

dpatiladobe
Explorer
‎12-04-2019 09:14 AM

Thanks @woodcock , These is awesome. These sorts the Chart by Date desc, I want to add the Duration also to sort chart as desc order of duration. Is that possible ?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2019 10:09 AM

No, sorting by D is not possible and I mentioned this in the very first part of my answer, That field's data is now 2-dimensional and sorting in 2 dimensions has no meaning. Take a look at the output and think about it and you will see what I mean.

0 Karma
Reply
Solved! Jump to solution

dpatiladobe
Explorer
‎12-04-2019 10:38 AM

Thanks I got it

0 Karma
Reply
Solved! Jump to solution

dpatiladobe
Explorer
‎12-04-2019 09:44 AM

If i add | sort -D after the fields ObjectName * , it sorts according to Duration desc but then it goes and sort Date as asc

| tstats range(_time) AS Duration WHERE index="_*" AND sourcetype="*splunk*" BY sourcetype _time span=1d
 | rename sourcetype AS ObjectName

 | rename COMMENT AS "Everything above generates sample data; everything below is your solution."

 | eval ObjectName=if(isnull(ObjectName), "Full_Processing_time",ObjectName) 
 | eval Duration=round(tonumber(Duration)/1000/60,2)
 | eval Date=strftime(_time, "%m/%d/%Y")
 | chart limit=0 max(Duration) AS D BY ObjectName Date
 | fields ObjectName * [| makeresults 
 | addinfo
 | foreach info_*_time [ bin <<FIELD>> span=1d | eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y") ]
 | map search="|gentimes start=$info_min_time$ end=$info_max_time$"
 | sort 0 - starttime
 | fields starttime
 | eval starttime = strftime(starttime, "%m/%d/%Y")
 | stats list(starttime) AS search
 | nomv search]
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2019 10:06 AM

Never use | sort without a number. EVER.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...