- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why is the sort function not saving properly in da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the sort function not saving properly in dashboard panels?
Hello,
I am having an issue where I want to sort my data in a chart but for some reason when I save and close the dashboard, my sort removed a " " (space) from the search. Here is an example,
I save the search as this and the largest 10 items return in my visualization:
....
| chart sum(FREE_GB) sum(USED_GB) over TS_NAME
| sort 10 -num("sum(USED_GB)")
However, when I save and then close or refresh the dashboard, ALL of the sorts on the dashboard change to this:
....
| chart sum(FREE_GB) sum(USED_GB) over TS_NAME
| sort 10-num("sum(USED_GB)")
Notice the space has been removed between "10 -num(..."
How do I stop this from happening? Is this just a bug in Splunk or is there something wrong with my syntax??
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a bug, fixed in 6.5.4 (see discussion here: https://answers.splunk.com/answers/547674/splunk-bug-fields-command.html)
See SPL-140551, SPL-140828, SPL-140807 in fixed issues here: http://docs.splunk.com/Documentation/Splunk/6.5.4/ReleaseNotes/6.5.4
After upgrading I recommend you run the following command so you can identify any affected dashboards and fix them on the filesystem.
find $SPLUNK_HOME/etc/users $SPLUNK_HOME/etc/apps -type f -name '*.xml' -exec grep -lr 'sort-\|fields-' {} +
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@twmoffit, we had noticed this issue with Internet Explorer (IE), however, the same worked fine with Chrome. Can you try that?
This seemed like a bug with IE.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing and saving the search in Chrome seemed to have fixed the problem for now. I hope this gets patched at some point soon though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@twmoffit, did you check out, @jplumsdaine22 's answer that this bug has already been fixed in 6.5.4. If you are using 6.5.4 or later and still observe the issue you should report the same to Splunk Support through your Entitlement. Kindly upvote if this work-around has helped.
Also if you can upgrade to 6.5.4 or later then test and accept jplumsdaine22's answer.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It has been patched (see below) However you will need to manually fix affected boards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try like this?
....
| chart sum(FREE_GB) as sum_FREE_GB sum(USED_GB) as sum_USED_GB by TS_NAME
| sort 10 -num(sum_USED_GB)
OR just
....
| chart sum(FREE_GB) as sum_FREE_GB sum(USED_GB) as sum_USED_GB by TS_NAME
| sort 10 -sum_USED_GB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you running and what browser?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
