Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to order columns based on month name - chronological

sangs8788
Communicator
‎05-19-2020 05:25 AM

Hi,

I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. 

 source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency  | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec")  
| sort Year, Month |eval Month=Month + "-" + Year 
| eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE'
| chart P90(P90_E2E_Latency) as E2E_Latency by  Month, xfields useother=f limit=10000
| transpose 20 header_field=Month, column_name=xfields
| rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)"
| fields - xfields
| table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *

Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
alt text
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.

Thanks

Preview file
83 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 11:31 PM 
source=detailed
|convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency
| bin _time span=1month
| stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE
| rename COMMENT as "this is enough to display graph"
| rename COMMENT as "this is extra step, I think"
| eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE
| eval _time = strftime(_time,"%b-%Y")
| xyseries tmp _time E2E_Latency
| eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1)
| table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month
| eval _time =strftime(_time,"%b-%Y")
| stats list(_time) as time
| eval search=mvjoin(time,",")
| fields search]

How about this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2020 05:54 AM

I'm not sure what you want the end results to be, but perhaps | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * will do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sangs8788
Communicator
‎05-19-2020 10:15 PM

table wouldnt work. because the column gets displayed in as April-2020, Feb-2020 etc. I want the columns to be ordered in chronological order.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...