Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sort highest to lowest over time with timechart

patrick_okeeffe
Engager
‎11-06-2017 03:47 PM

Hello,

I'm trying to display a graph of the my Splunk applications by usage, highest to lowest within a given time period. Can I sort so I can see highest on the left to lowest over say 7 days. This is what I have now:

index=_internal source=*access.log GET sourcetype=splunk_web_access
| search "/app/"
| rex field=_raw "\/app\/(?\S+)\/"
| timechart span=1d count by appName usenull=f useother=f
| fields - launcher, search

I tried sorting by appName, count etc but no change.

here is what the current timechart looks like:
alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 12:05 AM

Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:

index=_internal source=*access.log GET sourcetype=splunk_web_access 
| search "/app/" 
| rex field=_raw "\/app\/(?<appName>\S+)\/" 
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column 
| sort -count

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 12:05 AM

Hi patrick.okeeffe@icbc.com,
I agree with @DalJeanis that i following yourrequest you loose the time vision of you events.
Anyway I had a customer that asked to me something near your request and I solved in this way:

index=_internal source=*access.log GET sourcetype=splunk_web_access 
| search "/app/" 
| rex field=_raw "\/app\/(?<appName>\S+)\/" 
| bin span=1d _time
| search appName!=launcher OR appName!=search
| eval column=appName+" "+strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats count by column 
| sort -count

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎11-06-2017 06:01 PM

What you are asking for doesn't make much sense to me. timechart is charting over a period of time... that is what determines left vs right.

I don't believe you can have each day sort from highest to lowest, retaining color...That would lose the visual anchoring that tells you which color orange is which series, and multiple oranges or blues would end up next to each other, making it even more difficult to read.

You might consider switching to a line chart rather than a bar chart, since with this data that would be more understandable.

0 Karma
Reply
Solved! Jump to solution

patrick_okeeffe
Engager
‎11-07-2017 08:59 AM

Thank you both. Appreciate the feedback.

I was thinking it would be visually easier to use a bar chart that showed me the highest to lowest, left to right within any given day. But the line chart makes sense.

Cheers,
Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...