Splunk Search

How to sort values on x-axis based on the values of other fields

bollam
Path Finder

Hello,

I'm trying to plot a graph based on three fields.

The events contain the job, startTime, usedMemory. I want to plot a graph based on the start_time(epochTime) of the job.

I have a query written as follow.

index=main 
| eventstats earliest(startTime) as start_time by job
| stats first(totalMB) as total sum(UsedMB) AS a by start_time, stage
| eval pct=round((a/total)*100,2)
| table start_time stage pct

This query is giving me the right results as expected.

job start_time pct
b 00:05 20
c 00:10 15
f 00:25 55
a 00:00 40
d 00:15 60

When trying to plot a graph using following query, The job is getting sorted in the ascending order which I do not want.
I wanted the way how it is shown above on the x-axis ( b c f a d )

I need the values on the x-axis how the results with table command.

index=main 
| eventstats earliest(startTime) as start_time by job
| stats first(totalMB) as total sum(UsedMB) AS a by start_time, job
| eval pct=round((a/total)*100,2)
| table start_time job pct
| chart avg(pct) as Mem_used by job
Tags (3)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bollam

You can try by retaining order in other field..

Can you please try this?

index=main 
| eventstats earliest(startTime) as start_time by job
| stats first(totalMB) as total sum(UsedMB) AS a by start_time, job
| eval pct=round((a/total)*100,2)
| table job start_time pct | eval no=1 | accum no | chart avg(pct) as Mem_used values(no) as no by job | sort no | fields - no
0 Karma

bollam
Path Finder

@kamlesh_vaghela, Thanks much!! It worked

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bollam

Glad to help you. Can you please accept the answer to help the community.

Happy Splunking

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...