Solved: Re: How to maintain the exact sequence of columns ...

pal4life · ‎03-27-2017

Hi,
I currently have this query

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity

But for some reason when the chart is drawn, it shows me a bar chart with high then low then medium on it, how can I ensure it maintains the sequence of high, medium and low?

Thanks.

somesoni2 · ‎03-27-2017

If the field names are static, you could just add your table command at the end as well.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity | table _time, high, medium, low

After chart/timechart/xyseries type of commands fields name are sorted alphabatically (H,L,M). One workaround would be to add a numeric seq number to field names so that they are sorted numerically and retain their order.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value | streamstats count as sno by _time | eval severity=sno.".".severity | chart first(value) over _time by severity

View solution in original post

woodcock · ‎03-27-2017

Like this:

 source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| table _time high medium low
| rename high AS "  high" medium AS " medium"

Note that high has been renamed with 2 leading spaces and medium with just one (and low not at all).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.
I do not think that you need the untable -> rechart because I am assuming that you did that in an attempt to re-order the fields but if you need it to coalesce values or times, then just add it back in.

woodcock · ‎03-27-2017

Hey, you forgot to test mine; it works and is the simplest.

DalJeanis · ‎05-17-2017

I like it, for small number of fields.

lguinn2 · ‎03-27-2017

Charts are sorted using the fields following the "by". "high, low, medium" is an alphabetic sort. Try this:

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"
| untable _time severity value
| eval severity_sorter = case(severity=="high",3, severity=="medium",2, severity=="low",1,1==1,0)
| chart first(value) by _time severity_sorter
| rename "1" as Low "2" as "Medium" "3" as "High"

pal4life · ‎03-27-2017

Seems like a good idea but this gives no output

DalJeanis · ‎05-17-2017

Underscore missing on _time was the reason for no data. Unfortunately, the rename reorders the fields, so you have to use either somesoni2's method (append numeric) or woodcock's (append spaces).

somesoni2 · ‎03-27-2017

If the field names are static, you could just add your table command at the end as well.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value| chart first(value) over _time by severity | table _time, high, medium, low

After chart/timechart/xyseries type of commands fields name are sorted alphabatically (H,L,M). One workaround would be to add a numeric seq number to field names so that they are sorted numerically and retain their order.

source="Splunk-dat-Month-CHML.csv" host="splunk.engine.host" index="security" sourcetype="csv"| table _time, high, medium, low | untable _time severity value | streamstats count as sno by _time | eval severity=sno.".".severity | chart first(value) over _time by severity

pal4life · ‎03-27-2017

The first one worked for me, I will try the 2nd option as well.

How to maintain the exact sequence of columns in chart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases