Sort column headers in timechart - customize

martin86 — Fri, 02 Jul 2021 09:45:09 GMT

Hi,

I would like to ask you, of there is some possibility order column based on requirement.

Case:

<search> |eval lower_raw = lower(_raw) |rex field=lower_raw "^.*d=(?<opentask>[0-9]+).*" |rex field=lower_raw "^.*pm\s(?<trace>[0-9a-z-]+).*" |rex field=lower_raw "^.*taskid=(?<opentask>[0-9]+).*" |rex field=lower_raw "^.*uuid=(?<trace>[0-9a-z-]+).*" | eval task=opentask ."_".trace | transaction task | eval timedelay=case(duration>=0 AND duration<2,"1 sec",duration>=2 AND duration<6,"2-5 sec",duration>=6 AND duration<11,"6-10 sec",duration>=11,"11 and more sec",1=1,"error") | timechart span=10m count avg(duration) as avg by timedelay | sort by _time timedelay desc

I would like to have sorted by group (count event) and AVG duration

I mean, first column time (ok now)

second will be "count: 1sec"

third: "avg: 1sec"

forth: "count: 2-5sec"

fifth: "avg: 2-5sec"

etc.

Current it looks like this

which is not nice

expectation:

Thank you

Re: Sort column headers in timechart - customize

kamlesh_vaghela — Fri, 02 Jul 2021 10:53:52 GMT

@martin86

I suggest to use table command to rearrange the columns.

| timechart span=10m count avg(duration) as avg by timedelay | sort by _time timedelay desc |table LIST OF COLUMNS YOU NEED

Re: Sort column headers in timechart - customize

martin86 — Fri, 02 Jul 2021 11:01:48 GMT

@kamlesh_vaghela

Thank you, it works

topic Re: Sort column headers in timechart - customize in Splunk Search

Sort column headers in timechart - customize

Re: Sort column headers in timechart - customize

Re: Sort column headers in timechart - customize