Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to sort column chart based on month-year order

dhavamanis
Builder
‎08-06-2015 08:11 AM

Need your help,

We have column charts with the below query and its working fine,

index="myindex" source="/opt/apps/data/views/app_PV_UV_Data_3.csv" |timechart sum(PAGE_VIEWS) as PageViews span=1mon

its showing as

2013-Jan, Feb...2014-Jan,Feb....2015-Jan,Feb

but there is requirement to show data in this order,

Jan-2013,Jan-2014,Jan-2015,Feb-2014,Feb-2014,Feb-2015

Can you please help us to write this query

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-06-2015 08:40 AM

Currently you're getting a timechart with field _time (epoch) and PageViews, with results sorted ascending order of _time. Try something like this

 index="myindex" source="/opt/apps/data/views/app_PV_UV_Data_3.csv" |timechart sum(PAGE_VIEWS) as PageViews span=1mon | eval Timestamp=strftime(_time,"%m-%Y-%b-%Y") | table Timestamp PageViews | sort Timestamp | eval Timestamp=substr(Timestamp,8)

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-06-2015 08:50 AM

Do it like this:

index="myindex" source="/opt/apps/data/views/app_PV_UV_Data_3.csv" | bucket _time span=1m | chart sum(PAGE_VIEWS) as PageViews by _time | eval myTime = strftime(_time, "%m-%y") | sort myTime | fields myTime PageViews | fields - _time
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-06-2015 08:40 AM

Currently you're getting a timechart with field _time (epoch) and PageViews, with results sorted ascending order of _time. Try something like this

 index="myindex" source="/opt/apps/data/views/app_PV_UV_Data_3.csv" |timechart sum(PAGE_VIEWS) as PageViews span=1mon | eval Timestamp=strftime(_time,"%m-%Y-%b-%Y") | table Timestamp PageViews | sort Timestamp | eval Timestamp=substr(Timestamp,8)
Reply
Solved! Jump to solution

dhavamanis
Builder
‎08-06-2015 08:50 AM

Thank you so much, its working fine, can you please give me the query with out hyphen (-jan-2013) in the beginning.

0 Karma
Reply
Solved! Jump to solution

dhavamanis
Builder
‎08-06-2015 08:55 AM

i just adjusted the query and it works. Thank you,

eval Timestamp=substr(Timestamp,9)

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...