Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to chronologically sort headers in a table?

ASISH_9
Engager
‎12-09-2016 02:44 AM

I have the following table

ApplicationGroup          0-10        10-20      101-150     151-200     20-30       201-300      30-35     310-340

ABB                       1           3          5           3           6           2            8         2
avv                       6           8          8           8           5           9            3         7
FFD                       3           6          6           3           90          11           55        55

The number range that is shown is the Band and the numbers are basically the hours. I have created this using xyseries. As you can see the number ranges are not in order. Even if i apply sort, they are not coming in chronological order. Can we sort the number range header? If yes, how??

0 Karma
Reply

niketn
Legend
‎12-10-2016 12:56 PM

Option 1
You will have to prefix your ApplicationGroup values with "1. 0-10", "2. 10-20", "3. 20-30" etc.

your search | replace "0-10" with "1.0-10" in ApplicationGroup | replace "20-30" with "2. 20-30" in ApplicationGroup | ...

Option 2
If this works you can actually define your own lookup and map "0-10" to "1. 0-10". For example, if you create a lookup date_hour_chrono like the following example, you can use the query give below:

Date_Hour, Date_Hour_Chrono
"0-10","1. 0-10"
"10-20","2. 10-20"
"20-30","3. 20-30"
...
...

your search | lookup date_hour_chrono Date_Hour as Application_Group OUTPUT Date_Hour_Chrono | your remaining search

Option 3
One more option that you might have provided your query uses actual date_hour field extracted by Splunk from your event timestamp then you can feed the same to Splunk Punchcard visualization which plots Heat map across time series in both x and y axis and arranges according to time field selected like date_hour, date_wday etc.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sundareshr
Legend
‎12-09-2016 06:36 AM

Please share your query

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...