Solved: Why is the chart command returning months in alpha...

archu_01 · ‎11-05-2018

I am trying to sort the data month wise using the chart command. However the month is getting sorted alphabetically.

I tried referring the older post around the same topic, but none of solution works.

Tried all of these options

base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
base search | eval Month =strftime(_time,"%b") | chart count over rules by Month | eval sort=case(Month=="Jan","1",
Month=="Feb","2", Month=="Mar","3", Month=="Apr","4", Month=="May","5", Month=="Jun","6", Month=="Jul","7",

Month=="Aug","8", Month=="Sep","9", Month=="Oct","10", Month=="Nov","11", Month=="Dec","12")|sort sort |fields -
sort

The query that works is by numeric(as shown below) , but how do I convert the numeric to represent "month Name" as "Sep 2018,oct 2018 "?

base search | eval Monthnum =strftime(_time,"%m") | chart count over rules by Monthnum

renjith_nair · ‎11-07-2018

@archu_01,

Try this and see if it works for you

 base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
 |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
 |transpose|transpose header_field=column |fields - column

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎11-07-2018

@archu_01,

Try this and see if it works for you

 base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
 |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
 |transpose|transpose header_field=column |fields - column

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-07-2018

cool this works. I haven't used transpose but looks like the query limits the rows only to 5, can we make the limit 0 ?

renjith_nair · ‎11-07-2018

@archu_01,
yes ofcourse, just add transpose 0

See the int in http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Transpose#Optional_arguments

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-09-2018

Thanks this works !!

renjith_nair · ‎11-05-2018

@archu_01,

Try specifying the month names with fields

base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
|fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-06-2018

While this sort the fields the output which is the count is empty. The result is empty .

archu_01 · ‎11-06-2018

rechecked the result set, the data is working. however if I set the time frame to last 90 days then how can we display the data just to show Aug,sep,oct, Nov ? since we mentioned all the months in the fields command other months populate as results and show 0 count ?

rules Jan feb Mar Apr Jun Jul Aug Sep Oct Nov Dec
xxx 200 10 300 500

renjith_nair · ‎11-06-2018

I got what you mean. I will try for a solution and meanwhile I will move as a comment so that others might be able to help you

---
What goes around comes around. If it helps, hit it with Karma 🙂

Why is the chart command returning months in alphabetical order?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

Why is the chart command returning months in alphabetical order?

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...