I have this search, and it works correctly:
source=foo resource=bar earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart max(usage) over id by Day | where Yesterday!=Today | sort Today
It shows Today's bar on the left of Yesterday's bar for each id. I tried to reverse the order, to show Yesterday's bar on the left of Today's bar for each id, but did not find a way to make it work unless I rename the column(s), e.g. rename "Yesterday" to "Before" and rename "Today" to "Now". It appears that the default behavior is to sort in alphabetical order. Is there a better way to do this?
Thank you
Try the following.
source=foo resource=bar earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"1.Yesterday","2.Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart max(usage) over id by Day
| where "1.Yesterday"!="2.Today"
| rename "1.Yesterday" as "Yesterday" "2.Today" as Today
Add this:
... | rename Yesterday AS " Yesterday"
Adding the space will re-order the fields but be invisible.
Thank you, that's clever, will keep that in mind.
I accepted niketnilay's answer because it was first. In the end I did not use rename
but used
| table, id, Yesterday, Today
Curses, foiled again! Thanks for the UpVote
! 😆
Try the following.
source=foo resource=bar earliest=-1d@d latest=now
| eval Day=if(_time<relative_time(now(),"@d"),"1.Yesterday","2.Today")
| rex max_match=0 "(?:'id': )(?P<id>[^,]+)|(?:'usage': )(?P<usage>[^,]+)"
| chart max(usage) over id by Day
| where "1.Yesterday"!="2.Today"
| rename "1.Yesterday" as "Yesterday" "2.Today" as Today
Thank you @niketnilay . I used Before
and Now
instead of Yesterday
and Today
respectively as an alternative to renaming, hoped there is a sort
variation that could reverse the order instead of renaming.
There is also another way: | table, id, Yesterday, Today