Archive

How to order columns based on month name - chronological

Communicator

Hi,

I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered.

 source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency  | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec")  
| sort Year, Month |eval Month=Month + "-" + Year 
| eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE'
| chart P90(P90_E2E_Latency) as E2E_Latency by  Month, xfields useother=f limit=10000
| transpose 20 header_field=Month, column_name=xfields
| rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)"
| fields - xfields
| table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *

Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
alt text
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.

Thanks

0 Karma

SplunkTrust
SplunkTrust
source=detailed
|convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency
| bin _time span=1month
| stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE
| rename COMMENT as "this is enough to display graph"
| rename COMMENT as "this is extra step, I think"
| eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE
| eval _time = strftime(_time,"%b-%Y")
| xyseries tmp _time E2E_Latency
| eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1)
| table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month
| eval _time =strftime(_time,"%b-%Y")
| stats list(_time) as time
| eval search=mvjoin(time,",")
| fields search]

How about this?

0 Karma

SplunkTrust
SplunkTrust

I'm not sure what you want the end results to be, but perhaps | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * will do.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Communicator

table wouldnt work. because the column gets displayed in as April-2020, Feb-2020 etc. I want the columns to be ordered in chronological order.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!