Timechart's Table Column Header - Sorted in Descen...

syslogap · ‎11-05-2012

Hi,

I'm using version 4.2.2 with the search query:

host = "JA8*" AND eventtype="firewall*" earliest=7/1/2011:0:0:0 | dedup _raw | timechart count by host span=month limit=20

This produces a timechart with the table header sorted in descending order - "time, JA827J, JA826J, JA825J, JA822J, JA812A, JA810A, ...". Is there anything I can do to get the table header sorted in ascending order - "_time, JA810A, JA812A, JA822J, JA825J, ..." besides upgrading to 5.0 where this issue doesn't occur?

It appears descending order is being caused by using "limit" in the search query. I have more than 10 hosts so not using "limit" isn't an option as far as I understand it.

Thanks in advance for any help.

JForhan

yong_ly · ‎12-18-2012

have you tried the sort command?

host = "JA8*" AND eventtype="firewall*" earliest=7/1/2011:0:0:0 | dedup _raw | timechart count by host span=month limit=20 | sort by host DESC

martin_mueller · ‎12-19-2012

sort sorts rows, not columns.

syslogap · ‎11-06-2012

Thanks. That suffices as a work-around until we upgrade.

martin_mueller · ‎11-06-2012

You can specify the field order with the fields command, it might just require listing every field name.

Timechart's Table Column Header - Sorted in Descending Order

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation