Solved: How to maintain the exact sequence of columns in c...

pal4life · ‎03-27-2017

Hi,
I currently have this query

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity

But for some reason when the chart is drawn, it shows me a bar chart with high then low then medium on it, how can I ensure it maintains the sequence of high, medium and low?

Thanks.

somesoni2 · ‎03-27-2017

If the field names are static, you could just add your table command at the end as well.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity | table _time, high, medium, low

After chart/timechart/xyseries type of commands fields name are sorted alphabatically (H,L,M). One workaround would be to add a numeric seq number to field names so that they are sorted numerically and retain their order.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value | streamstats count as sno by _time | eval severity=sno.".".severity | chart first(value) over _time by severity

View solution in original post

woodcock · ‎03-27-2017

Like this:

 source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table _time high medium low
| rename high AS "  high" medium AS " medium"

Note that high has been renamed with 2 leading spaces and medium with just one (and low not at all).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.
I do not think that you need the untable -> rechart because I am assuming that you did that in an attempt to re-order the fields but if you need it to coalesce values or times, then just add it back in.

woodcock · ‎03-27-2017

Hey, you forgot to test mine; it works and is the simplest.

DalJeanis · ‎05-17-2017

I like it, for small number of fields.

lguinn2 · ‎03-27-2017

Charts are sorted using the fields following the "by". "high, low, medium" is an alphabetic sort. Try this:

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| untable _time severity value
| eval severity_sorter = case(severity=="high",3, severity=="medium",2, severity=="low",1,1==1,0)
| chart first(value) by _time severity_sorter
| rename "1" as Low "2" as "Medium" "3" as "High"

pal4life · ‎03-27-2017

Seems like a good idea but this gives no output

DalJeanis · ‎05-17-2017

Underscore missing on _time was the reason for no data. Unfortunately, the rename reorders the fields, so you have to use either somesoni2's method (append numeric) or woodcock's (append spaces).

somesoni2 · ‎03-27-2017

If the field names are static, you could just add your table command at the end as well.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity | table _time, high, medium, low

After chart/timechart/xyseries type of commands fields name are sorted alphabatically (H,L,M). One workaround would be to add a numeric seq number to field names so that they are sorted numerically and retain their order.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value | streamstats count as sno by _time | eval severity=sno.".".severity | chart first(value) over _time by severity

pal4life · ‎03-27-2017

The first one worked for me, I will try the 2nd option as well.

How to maintain the exact sequence of columns in chart

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life