Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to chronologically sort headers in a table?

ASISH_9
Engager
‎12-09-2016 02:44 AM

I have the following table

ApplicationGroup          0-10        10-20      101-150     151-200     20-30       201-300      30-35     310-340

ABB                       1           3          5           3           6           2            8         2
avv                       6           8          8           8           5           9            3         7
FFD                       3           6          6           3           90          11           55        55

The number range that is shown is the Band and the numbers are basically the hours. I have created this using xyseries. As you can see the number ranges are not in order. Even if i apply sort, they are not coming in chronological order. Can we sort the number range header? If yes, how??

0 Karma
Reply

niketn
Legend
‎12-10-2016 12:56 PM

Option 1
You will have to prefix your ApplicationGroup values with "1. 0-10", "2. 10-20", "3. 20-30" etc.

your search | replace "0-10" with "1.0-10" in ApplicationGroup | replace "20-30" with "2. 20-30" in ApplicationGroup | ...

Option 2
If this works you can actually define your own lookup and map "0-10" to "1. 0-10". For example, if you create a lookup date_hour_chrono like the following example, you can use the query give below:

Date_Hour, Date_Hour_Chrono
"0-10","1. 0-10"
"10-20","2. 10-20"
"20-30","3. 20-30"
...
...

your search | lookup date_hour_chrono Date_Hour as Application_Group OUTPUT Date_Hour_Chrono | your remaining search

Option 3
One more option that you might have provided your query uses actual date_hour field extracted by Splunk from your event timestamp then you can feed the same to Splunk Punchcard visualization which plots Heat map across time series in both x and y axis and arranges according to time field selected like date_hour, date_wday etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sundareshr
Legend
‎12-09-2016 06:36 AM

Please share your query

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...