I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered.
source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec") | sort Year, Month |eval Month=Month + "-" + Year | eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE' | chart P90(P90_E2E_Latency) as E2E_Latency by Month, xfields useother=f limit=10000 | transpose 20 header_field=Month, column_name=xfields | rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)" | fields - xfields | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *
Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.
source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency | bin _time span=1month | stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE | rename COMMENT as "this is enough to display graph" | rename COMMENT as "this is extra step, I think" | eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE | eval _time = strftime(_time,"%b-%Y") | xyseries tmp _time E2E_Latency | eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1) | table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month | eval _time =strftime(_time,"%b-%Y") | stats list(_time) as time | eval search=mvjoin(time,",") | fields search]
How about this?