Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to order columns based on month name - chronological

sangs8788
Communicator
‎05-19-2020 05:25 AM

Hi,

I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. 

 source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency  | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec")  
| sort Year, Month |eval Month=Month + "-" + Year 
| eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE'
| chart P90(P90_E2E_Latency) as E2E_Latency by  Month, xfields useother=f limit=10000
| transpose 20 header_field=Month, column_name=xfields
| rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)"
| fields - xfields
| table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *

Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
alt text
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.

Thanks

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 11:31 PM 
source=detailed
|convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency
| bin _time span=1month
| stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE
| rename COMMENT as "this is enough to display graph"
| rename COMMENT as "this is extra step, I think"
| eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE
| eval _time = strftime(_time,"%b-%Y")
| xyseries tmp _time E2E_Latency
| eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1)
| table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month
| eval _time =strftime(_time,"%b-%Y")
| stats list(_time) as time
| eval search=mvjoin(time,",")
| fields search]

How about this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2020 05:54 AM

I'm not sure what you want the end results to be, but perhaps | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * will do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sangs8788
Communicator
‎05-19-2020 10:15 PM

table wouldnt work. because the column gets displayed in as April-2020, Feb-2020 etc. I want the columns to be ordered in chronological order.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...