Splunk Search

Sort the legend's display from chart

BDAS
Explorer

Hi everyone!

I would like to display several areas (stacked) or columns in a specific order. Here is my charting command :

| chart avg(countUsers) as avgCountUsers over Time by ID

My IDs are like 1001, 1002, 1003 ... 2001, 2002 ...

For example, the average corresponding to 1001 is above 1002, which is above 1003, and I want to reverse the areas/columns so that I display 1001 first, then 1002 on top of it, etc.

I tried the sort command and the reverse one, but my chart remained the same, maybe I haven't used it correctly.

Any ideas?

Thanks in advance!

BlueLychee.

Tags (1)

uksysadmins
New Member

Looks like the chart module just creates the legend entry when it gets an entry so you just need to sort by ID prior to piping it the chart.

| sort ID | chart avg(countUsers) as avgCountUsers over Time by ID

0 Karma

nugetchar
Explorer

I don't really understand... Don't you just have to write something like that?
==> "| fields 1003, 1002, 1001"

Unless you cannot know in advance how many results you will have... For example "1001 1002 1003" and later "2001 2002 2003 2004 2005"... In this case (and know I assume that this is your situation), I don't know how to do...

nugetchar

BDAS
Explorer

Thanks for answering so fast!

Yes, it works fine with | fields 1003 1002 1001 but I want my search to be generic in case I would receive other IDs (ex: 4001, 4002 ...)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...