Splunk Search

How can I rearrange the columns of my search in this specific order?

srikarbaswa446
New Member

alt textI want my to rearrange the columns of my query in a particular order as shown below ,but due to dates (01-jun-2017) ,the first part of the query is working fine but other columns are coming after dates(01-jun-2017,-2-jun-2017).So I am rearranging them like 0.1_MTD_last_mon,0.2_CSI_pre_year .Help me sorting the table columns without using this 0.1,0.2 prefixes.

Location MTD_Pre_mon MTD_last_mon CSI_pre_year CSI_last_year 01-jun-2017 02-jun-2017 03-jun-2017
abc 1 2 5.5 6.6 90 88 99

|chart sum(MTD) as MTD_Present_Month by Location
|chart sum(MTD) as 0.1_MTD_Last_Month by Location
|chart values(CSI) as 0.2_CSI_Present_Year by Location
|bin span=1d _time
|convert ctime(_time) timeformat="%d-%b-%y %A"
|chart sum(daily) over Location by _time limit=0

These are the little parts of the query.The whole query is very long with different indexes.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Make them all one stats or chart command like this:

 | bin span=1mon _time
 | stats sum(MTD) as MTD, values(CSI) as CSI_Present_Year,  sum(daily) by Location, _time

The by clause will go on the left of the chart and the other fields will go in the order you list them in, left to right.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi srikarbaswa446,
you should try to execute chart commands with time in epochtime and then convert in Human Readable Format after charting, probably columns will be in time order and not in alphabetical order.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...