Splunk Search

Sorting the legend in a graph newest date to oldest from top to bottom

Motivator

This is my search. It is multiple timecharts timewraped per week

SEARCH:

index=... earliest=@w1 latest=+7d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact |
appendcols [search 
index=... earliest=-7d@w1 latest=@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact 
] | appendcols [search 
index=... earliest=-14d@w1 latest=-7d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact
] | appendcols [search 
index=... earliest=-21d@w1 latest=-14d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact
]

GRAPH:
Graph with Legend Not ordered as I would like

This is my graph that is generated. But the legend appears like this

Registrations_week_of_May14
Registrations_week_of_Apr23
Registrations_week_of_Apr30
Registrations_week_of_May07

I want it to appear as this: (preferably with the newest date reading from top to bottom or alternatively with the oldest date reading from top to bottom.)

Registrations_week_of_May07
Registrations_week_of_May14
Registrations_week_of_Apr23
Registrations_week_of_Apr30

Tags (4)
0 Karma

SplunkTrust
SplunkTrust

@HattrickNZ, the idea of Timewrap command is for you to write a single search for complete timerange and let the command create Time bucket for series comparison.

For example the following run anywhere search. However, as you would have seen the resulting series will be sorted in chronological order. In your case you can optionally also use time_format="Week of %Y-%m-%d" :

index=_internal earliest=-21d@w1 latest=+7d@w1 
| eval KPI1=random()
| timechart span=5m max(KPI1) as Registrations_w1 

Since, you need the series to be reverse sorted and already have used the appendcol command. All you need to do is rename the series to something meaningful format and adjust x-axis for same time-range, to let the series overlap. Refer to this Splunk blog: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

Following is run anywhere example to test:

index=_internal earliest=@w1 latest=+7d@w1 
| eval KPI1=random() 
| timechart span=5m max(KPI1) as Registrations_current_week
| appendcols 
    [ search 
        index=_internal earliest=-7d@w1 latest=@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_07days
    |  eval _time=_time+60*60*24*7 ] 
| appendcols 
    [ search 
        index=_internal earliest=-14d@w1 latest=-7d@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_14days
    | eval _time=_time+60*60*24*14 
        ] 
| appendcols 
    [ search 
        index=_internal earliest=-21d@w1 latest=-14d@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_21days
    | eval _time=_time+60*60*24*21
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma