Solved: Chart using span logs does not show the columns in...

srenou · ‎05-18-2017

Hello,
I am trying to chart some response time and wanted to use the log span as:

index=myIndex "time_value" | chart count by time_ms bins=100 span=2log5

My concern is that Splunk seems to be doing some alphabetical sorting which mixes my span ranges

for example it shows the span in the order of :
0 10-50 1250-6250 250-1250
while I would expect:
0 10-50 250-1250 1250-6250

Thanks for any help.
Stephane

woodcock · ‎05-18-2017

You can fix this after the fact, like this:

| rename 0 AS "   0" "10-50" AS "  10-50" "250-1250" AS " 250-1250"

Note that 0 has been renamed with 3 leading spaces and 10-50 with just two (and so on until 1250-6250 is not renamed at all, so it has 0 spaces).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.

View solution in original post

woodcock · ‎05-18-2017

You can fix this after the fact, like this:

| rename 0 AS "   0" "10-50" AS "  10-50" "250-1250" AS " 250-1250"

Note that 0 has been renamed with 3 leading spaces and 10-50 with just two (and so on until 1250-6250 is not renamed at all, so it has 0 spaces).
The whitespace is invisible in the chart but forces the alphabetical order that you desire.

srenou · ‎05-19-2017

thanks for the proposal, unfortunately that does not seem to work for me as the names are not getting changed with that process. I guess the chart is done before the rename and rename gets no effect. Looking at the splunk sample, http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Chart#9:_Chart_the_average_number_... I am getting a different result as the statistics data are not sorted on my side on my example, so I guess I may have some configuration issue or an invalid release.

woodcock · ‎05-19-2017

If you are running a fileds or table command, the fields may be re-sorted. Try stripping off the commands after the chart command to see where the resorting happens and see if you can use a different command or perhaps that command has a keepcolorder option (some commands do).

srenou · ‎05-19-2017

Thanks for the feedback.
unfortunately no. My request is just an index search piped to a chart count by MyCounter span=2log5.

My graph is strangely sorted as well as my statistics as if it is doing alphabetical sorting instead of looking at the ranges.
But that drove me to thinking that I should force the sorting, so adding sort MyCounter that made the trick.
Thanks again.

woodcock · ‎05-19-2017

So what exactly was your final search?

srenou · ‎05-22-2017

My final search is:
index=myIndex "time_value" | chart count by time_ms bins=100 span=2log5 | sort time_ms bins

woodcock · ‎05-22-2017

You need sort 0, not just sort.

srenou · ‎05-23-2017

Thanks for the feedback, strangely in my case the sort with the value is enough.

Chart using span logs does not show the columns in range order

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...