SO I am doing a search command for failed authentication events that results in a data stream of the UserID and the count of events, and their time. I have tried many combinations of all kinds of variations of the sort command, and trying to modify the timechart parameters. The stream uses a rex command to generate a field called 'failedAuthUser' that represents the user id of the account failing the authentication.
Here is what I have:
"search" | sort num(count) | timechart count by failedAuthUser*
I am trying to get the legend to display the users that have Failed Auth events in order of highest count to the lowest. I have tried to put the sort command before and after the timechart command, and no impact, and nothing I can find in searching Splunk support resources gets me what I am looking for. This must be doable - right?
The solution is explained on: http://docs.splunk.com/Documentation/Splunk/6.1.3/AdvancedDev/Chartcustomization
In my case, instead of legends A,B,C .. I just changed to B,C,A
<option> name="charting.legend.labels">[B,C,A]</option>
It worked fine
Timechart can be sorted by only time.
Have you tried
|chart count by failedAuthUser |sort num(count)
Charts made by timechart
are implicitly sorted by _time
. That's why they are "time" charts.
Remember that timechart
is computing a span and counting how many events occur during each value of span. So over a whole week, timechart
might come up with a span of 1 day, and give you a count per user per day. It really doesn't make sense to try to sort such a result by anything but _time
.
Under the covers, timechart span=ZZZ XXX by YYY
does something like this ...
| bucket span=ZZZ _time | chart XXX over _time by YYY
You might use the regular chart
command instead of timechart
, and then they should be more easily organizable. But, your count will be of the total number of failed logins by user over the time range of the search.
Darn it! So close, yet so Far. maybe with V6? maybe i should try it in advanced XML mode. it seems kind of arbitrary to sort the items in the series alphabetically, and not by the user's choice.
OH! So a timechart is what you actually wanted, but this is about the sorting of the series in the legend? I took a quick look at the Charting reference at http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomChartingConfig-ChartLegend and I don't think this is possible with splunk as-is.
thanks for the reply, I guess i wasn't as clear as I should have been. The results of the series - the FailedAuthUser, appear in the legend sorted alphabetically. This isn't really helpful because some of the users with the lower count are at the top of the alpabetical list. I would like the legend to show the users with the highest failed auth count highest in the list.