Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't I get my series in a timechart to sort?

desertpilotjc
Explorer
‎10-09-2013 02:47 PM

SO I am doing a search command for failed authentication events that results in a data stream of the UserID and the count of events, and their time. I have tried many combinations of all kinds of variations of the sort command, and trying to modify the timechart parameters. The stream uses a rex command to generate a field called 'failedAuthUser' that represents the user id of the account failing the authentication.
Here is what I have:

"search" | sort num(count) | timechart count by failedAuthUser*

I am trying to get the legend to display the users that have Failed Auth events in order of highest count to the lowest. I have tried to put the sort command before and after the timechart command, and no impact, and nothing I can find in searching Splunk support resources gets me what I am looking for. This must be doable - right?

Tags (2)
Reply

fabiocaldas
Contributor
‎09-18-2014 08:12 AM

The solution is explained on: http://docs.splunk.com/Documentation/Splunk/6.1.3/AdvancedDev/Chartcustomization

In my case, instead of legends A,B,C .. I just changed to B,C,A

<option> name="charting.legend.labels">[B,C,A]</option>

It worked fine

0 Karma
Reply

lukejadamec
Super Champion
‎10-09-2013 02:59 PM

Timechart can be sorted by only time.

Have you tried

|chart count by failedAuthUser |sort num(count)

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-09-2013 02:57 PM

Charts made by timechart are implicitly sorted by _time. That's why they are "time" charts.

Remember that timechart is computing a span and counting how many events occur during each value of span. So over a whole week, timechart might come up with a span of 1 day, and give you a count per user per day. It really doesn't make sense to try to sort such a result by anything but _time.

Under the covers, timechart span=ZZZ XXX by YYY does something like this ...

| bucket span=ZZZ _time | chart XXX over _time by YYY

You might use the regular chart command instead of timechart, and then they should be more easily organizable. But, your count will be of the total number of failed logins by user over the time range of the search.

0 Karma
Reply

desertpilotjc
Explorer
‎10-09-2013 03:13 PM

Darn it! So close, yet so Far. maybe with V6? maybe i should try it in advanced XML mode. it seems kind of arbitrary to sort the items in the series alphabetically, and not by the user's choice.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-09-2013 03:09 PM

OH! So a timechart is what you actually wanted, but this is about the sorting of the series in the legend? I took a quick look at the Charting reference at http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomChartingConfig-ChartLegend and I don't think this is possible with splunk as-is.

0 Karma
Reply

desertpilotjc
Explorer
‎10-09-2013 03:02 PM

thanks for the reply, I guess i wasn't as clear as I should have been. The results of the series - the FailedAuthUser, appear in the legend sorted alphabetically. This isn't really helpful because some of the users with the lower count are at the top of the alpabetical list. I would like the legend to show the users with the highest failed auth count highest in the list.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...