Solved: Re: Why is the chart command returning months in a...

archu_01 · ‎11-05-2018

I am trying to sort the data month wise using the chart command. However the month is getting sorted alphabetically.

I tried referring the older post around the same topic, but none of solution works.

Tried all of these options

base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
base search | eval Month =strftime(_time,"%b") | chart count over rules by Month | eval sort=case(Month=="Jan","1",
Month=="Feb","2", Month=="Mar","3", Month=="Apr","4", Month=="May","5", Month=="Jun","6", Month=="Jul","7",

Month=="Aug","8", Month=="Sep","9", Month=="Oct","10", Month=="Nov","11", Month=="Dec","12")|sort sort |fields -
sort

The query that works is by numeric(as shown below) , but how do I convert the numeric to represent "month Name" as "Sep 2018,oct 2018 "?

base search | eval Monthnum =strftime(_time,"%m") | chart count over rules by Monthnum

renjith_nair · ‎11-07-2018

@archu_01,

Try this and see if it works for you

 base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
 |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
 |transpose|transpose header_field=column |fields - column

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎11-07-2018

@archu_01,

Try this and see if it works for you

 base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
 |fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
 |transpose|transpose header_field=column |fields - column

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-07-2018

cool this works. I haven't used transpose but looks like the query limits the rows only to 5, can we make the limit 0 ?

renjith_nair · ‎11-07-2018

@archu_01,
yes ofcourse, just add transpose 0

See the int in http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Transpose#Optional_arguments

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-09-2018

Thanks this works !!

renjith_nair · ‎11-05-2018

@archu_01,

Try specifying the month names with fields

base search | eval Month =strftime(_time,"%b") | chart count over rules by Month
|fields rules,Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec

---
What goes around comes around. If it helps, hit it with Karma 🙂

archu_01 · ‎11-06-2018

While this sort the fields the output which is the count is empty. The result is empty .

archu_01 · ‎11-06-2018

rechecked the result set, the data is working. however if I set the time frame to last 90 days then how can we display the data just to show Aug,sep,oct, Nov ? since we mentioned all the months in the fields command other months populate as results and show 0 count ?

rules Jan feb Mar Apr Jun Jul Aug Sep Oct Nov Dec
xxx 200 10 300 500

renjith_nair · ‎11-06-2018

I got what you mean. I will try for a solution and meanwhile I will move as a comment so that others might be able to help you

---
What goes around comes around. If it helps, hit it with Karma 🙂

Why is the chart command returning months in alphabetical order?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

Why is the chart command returning months in alphabetical order?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk