i have data in an index=xyz in json format like with http status code from specific applications
this below is a single event data
Application | Status | reltime |
application1 | 200 | 3 hours ago |
application 2 | 200 | 3 hours ago |
Here are two possibilities using foreach and transpose:
...
| stats latest(_time) as _time latest(Application*) as Application*
| foreach Application*
[ eval Application=mvappend(Application, "<<FIELD>>|".<<FIELD>>) ]
| mvexpand Application
| eval reltime=tostring(now()-_time, "duration")." ago", Application=split(Application, "|"), Status=mvindex(Application, 1), Application=mvindex(Application, 0)
| table Application Status reltime
...
| stats latest(_time) as _time latest(Application*) as Application*
| transpose 0 column_name=Application
| eval reltime=case(Application=="_time", 'row 1')
| filldown reltime
| eval reltime=tostring(now()-reltime, "duration")." ago"
| search Application=Application*
| rename "row 1" as Status
In both examples, reltime is formatted as a duration (d+HH:MM:SS) with the suffix "ago." If you want to show approximate seconds, minutes, hours, or days ago:
| eval reltime=now()-reltime, reltime=coalesce(case(reltime>=86400, floor(reltime/86400). " days", reltime<86400 AND reltime>=3600, floor(reltime/3600)." hours", reltime<3600 AND reltime>=60, floor(reltime/60)." minutes"), reltime." seconds")." ago"
Here are two possibilities using foreach and transpose:
...
| stats latest(_time) as _time latest(Application*) as Application*
| foreach Application*
[ eval Application=mvappend(Application, "<<FIELD>>|".<<FIELD>>) ]
| mvexpand Application
| eval reltime=tostring(now()-_time, "duration")." ago", Application=split(Application, "|"), Status=mvindex(Application, 1), Application=mvindex(Application, 0)
| table Application Status reltime
...
| stats latest(_time) as _time latest(Application*) as Application*
| transpose 0 column_name=Application
| eval reltime=case(Application=="_time", 'row 1')
| filldown reltime
| eval reltime=tostring(now()-reltime, "duration")." ago"
| search Application=Application*
| rename "row 1" as Status
In both examples, reltime is formatted as a duration (d+HH:MM:SS) with the suffix "ago." If you want to show approximate seconds, minutes, hours, or days ago:
| eval reltime=now()-reltime, reltime=coalesce(case(reltime>=86400, floor(reltime/86400). " days", reltime<86400 AND reltime>=3600, floor(reltime/3600)." hours", reltime<3600 AND reltime>=60, floor(reltime/60)." minutes"), reltime." seconds")." ago"