Splunk Search

How to specify the order of fields legend in a chart?

jdagenais
Explorer

I created a search query that returns a set of database alerts which contains a field called alert. The field contains text values such as alert_15s, alert_120s, etc

I am building a stacked chart which currently display these alerts in this order:

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

How can I change the order of the fields/legends to be this way:

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

Thanks, Jean

Tags (3)

sideview
SplunkTrust
SplunkTrust

If you are graphing something and your legend values are coming out:

alert_120s
alert_15s
alert_180s
alert_300s
alert_600s
alert_60s

and you want the legend values to be in this order:

alert_15s
alert_60s
alert_120s
alert_180s
alert_300s
alert_600s

it's dead simple. Take whatever search was generating the order you didnt want, and tack on a fields clause to reorder them.

<your search> | fields _* * alert_15s alert_60s alert_120s alert_180s alert_300s alert_600s

The FlashChart module just puts up legend items in the order it gets them, so all you have to do is change the order with fields or table

The little wildcard terms are telling splunk to put all the hidden 'underscore' columns first, then any other columns, and then finally end the sequence with the specified columns. If you'd rather specify the columns explicitly you can of course do that. Note that the fields clause seems to damage timechart now, in that the _time field can get removed if you leave off _* or _time...

sansay
Contributor

This is all very fine if you know what the fields will be.
But what about inverting the order of fields dynamically?
"sort" doesn't work.

0 Karma

jdagenais
Explorer

This is the solution I have found for these type of problems.

This provides both a tabular and sorted results by month, day, and alert types.

* sourcetype="sybase_alert" NOT alert="alert_error" NOT alert="alert_network"
| stats 
count(eval(alert="alert_15s")) as a_015,
count(eval(alert="alert_60s")) as a_060,
count(eval(alert="alert_120s")) as a_120,
count(eval(alert="alert_300s")) as a_300,
count(eval(alert="alert_600s")) as a_600,
count(eval(alert="alert_deadlock")) as deadlock,

by date_month, date_mday | sort date_month, date_mday
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...