Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sorting the legend in a graph newest date to oldest from top to bottom

HattrickNZ
Motivator
‎05-17-2018 03:33 PM

This is my search. It is multiple timecharts timewraped per week

SEARCH:

index=... earliest=@w1 latest=+7d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact |
appendcols [search 
index=... earliest=-7d@w1 latest=@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact 
] | appendcols [search 
index=... earliest=-14d@w1 latest=-7d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact
] | appendcols [search 
index=... earliest=-21d@w1 latest=-14d@w1| 
timechart span=5m 
max(KPI1) as Registrations | timewrap w series=exact
]

GRAPH:
Graph with Legend Not ordered as I would like

This is my graph that is generated. But the legend appears like this

Registrations_week_of_May14
Registrations_week_of_Apr23
Registrations_week_of_Apr30
Registrations_week_of_May07

I want it to appear as this: (preferably with the newest date reading from top to bottom or alternatively with the oldest date reading from top to bottom.)

Registrations_week_of_May07
Registrations_week_of_May14
Registrations_week_of_Apr23
Registrations_week_of_Apr30

Tags (4)
Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎05-18-2018 08:19 AM

@HattrickNZ, the idea of Timewrap command is for you to write a single search for complete timerange and let the command create Time bucket for series comparison.

For example the following run anywhere search. However, as you would have seen the resulting series will be sorted in chronological order. In your case you can optionally also use time_format="Week of %Y-%m-%d" :

index=_internal earliest=-21d@w1 latest=+7d@w1 
| eval KPI1=random()
| timechart span=5m max(KPI1) as Registrations_w1

Since, you need the series to be reverse sorted and already have used the appendcol command. All you need to do is rename the series to something meaningful format and adjust x-axis for same time-range, to let the series overlap. Refer to this Splunk blog: https://www.splunk.com/blog/2012/02/19/compare-two-time-ranges-in-one-report.html

Following is run anywhere example to test:

index=_internal earliest=@w1 latest=+7d@w1 
| eval KPI1=random() 
| timechart span=5m max(KPI1) as Registrations_current_week
| appendcols 
    [ search 
        index=_internal earliest=-7d@w1 latest=@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_07days
    |  eval _time=_time+60*60*24*7 ] 
| appendcols 
    [ search 
        index=_internal earliest=-14d@w1 latest=-7d@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_14days
    | eval _time=_time+60*60*24*14 
        ] 
| appendcols 
    [ search 
        index=_internal earliest=-21d@w1 latest=-14d@w1 
    | eval KPI1=random() 
    | timechart span=5m max(KPI1) as Registrations_last_21days
    | eval _time=_time+60*60*24*21
        ]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...