Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to order columns based on month name - chronological

sangs8788
Communicator
‎05-19-2020 05:25 AM

Hi,

I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. 

 source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency  | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec")  
| sort Year, Month |eval Month=Month + "-" + Year 
| eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE'
| chart P90(P90_E2E_Latency) as E2E_Latency by  Month, xfields useother=f limit=10000
| transpose 20 header_field=Month, column_name=xfields
| rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)"
| fields - xfields
| table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *

Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
alt text
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.

Thanks

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 11:31 PM 
source=detailed
|convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency
| bin _time span=1month
| stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE
| rename COMMENT as "this is enough to display graph"
| rename COMMENT as "this is extra step, I think"
| eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE
| eval _time = strftime(_time,"%b-%Y")
| xyseries tmp _time E2E_Latency
| eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1)
| table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month
| eval _time =strftime(_time,"%b-%Y")
| stats list(_time) as time
| eval search=mvjoin(time,",")
| fields search]

How about this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2020 05:54 AM

I'm not sure what you want the end results to be, but perhaps | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * will do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sangs8788
Communicator
‎05-19-2020 10:15 PM

table wouldnt work. because the column gets displayed in as April-2020, Feb-2020 etc. I want the columns to be ordered in chronological order.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...