Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating a table with chronological headers

Stevelim
Communicator
‎07-17-2019 04:42 AM

Given a week worth of timestamped data like the following:

1st FEB
Time = "010219 0100" Category = "A" Value = "1.1"
Time = "010219 0100" Category = "B" Value = "1.3"
Time = "010219 0110" Category = "A" Value = "2.1" <- Last data for A on 1st FEB
Time = "010219 0110" Category = "B" Value = "2.2" <- Last data for B on 1st FEB

2nd FEB
Time = "020219 0100" Category = "A" Value = "1.1"
Time = "020219 0100" Category = "B" Value = "1.3"
Time = "020219 0110" Category = "A" Value = "1.1" <- Last data for A on 2nd FEB
Time = "020219 0110" Category = "B" Value = "1.2" <- Last data for B on 2nd FEB

...

Assuming my keys are extracted correctly, how can I display a table of this format:
Category 01-FEB 02-FEB...
A 2.1 1.1
B 2.2 1.2

I am able to get to this point with the following query:

<Base Search>
| dedup date_mday, date_month, TagName
| eval date = strftime(_time,"%Y%m%d-%b")
| xyseries TagName, date, Value

and get the following results:
Category 20190219-Feb 20190219-Feb
A 2.1 1.1
B 2.2 1.2

How can I rename manipulate the header such that they are all in chronological order with the correct header names? For context, the data will be searched for an entire year. I was able to get close to the presentation but encountered an ordering issue, for example, all the 01-X grouped together, 01-JAN, 01-FEB, 01-MAR and so on

Tags (1)
0 Karma
Reply

chinmoya
Communicator
‎07-22-2019 06:16 AM

try below:
| eval date = strftime(_time,"%Y%m%d-%b")

| chart latest(Value) over Category by date

An example similar to yours with internal index
index=_internal earliest=-7d@d latest=now| eval display_time = strftime(_time,"%Y%m%d-%b") | chart latest(log_level) over sourcetype by display_time

The strftime conversation can be changed as needed

0 Karma
Reply

Stevelim
Communicator
‎07-22-2019 06:37 AM

The issue with this technique is that I need the format to be 22-Jul for example. Changing the eval strtime command to strftime(_time,"%d-%b") works but only for a month of data. I eventually need this to go over a year worth of data which will end up with this arrangement of headers if I go with this:

01-JAN | 01-FEB .. | 01-DEC | 02-JAN |

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...