- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lostcauz3
Path Finder
12-30-2021
08:14 AM
i have data in an index=xyz in json format like with http status code from specific applications
this below is a single event data
{
"Application1": "200",
"Application2": "200",
"Application3": "200"
}
i want the data to be visualized like
| Application | Status | reltime |
| application1 | 200 | 3 hours ago |
| application 2 | 200 | 3 hours ago |
how can i get output like this ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-02-2022
11:00 AM
Here are two possibilities using foreach and transpose:
...
| stats latest(_time) as _time latest(Application*) as Application*
| foreach Application*
[ eval Application=mvappend(Application, "<<FIELD>>|".<<FIELD>>) ]
| mvexpand Application
| eval reltime=tostring(now()-_time, "duration")." ago", Application=split(Application, "|"), Status=mvindex(Application, 1), Application=mvindex(Application, 0)
| table Application Status reltime...
| stats latest(_time) as _time latest(Application*) as Application*
| transpose 0 column_name=Application
| eval reltime=case(Application=="_time", 'row 1')
| filldown reltime
| eval reltime=tostring(now()-reltime, "duration")." ago"
| search Application=Application*
| rename "row 1" as StatusIn both examples, reltime is formatted as a duration (d+HH:MM:SS) with the suffix "ago." If you want to show approximate seconds, minutes, hours, or days ago:
| eval reltime=now()-reltime, reltime=coalesce(case(reltime>=86400, floor(reltime/86400). " days", reltime<86400 AND reltime>=3600, floor(reltime/3600)." hours", reltime<3600 AND reltime>=60, floor(reltime/60)." minutes"), reltime." seconds")." ago"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
01-02-2022
11:00 AM
Here are two possibilities using foreach and transpose:
...
| stats latest(_time) as _time latest(Application*) as Application*
| foreach Application*
[ eval Application=mvappend(Application, "<<FIELD>>|".<<FIELD>>) ]
| mvexpand Application
| eval reltime=tostring(now()-_time, "duration")." ago", Application=split(Application, "|"), Status=mvindex(Application, 1), Application=mvindex(Application, 0)
| table Application Status reltime...
| stats latest(_time) as _time latest(Application*) as Application*
| transpose 0 column_name=Application
| eval reltime=case(Application=="_time", 'row 1')
| filldown reltime
| eval reltime=tostring(now()-reltime, "duration")." ago"
| search Application=Application*
| rename "row 1" as StatusIn both examples, reltime is formatted as a duration (d+HH:MM:SS) with the suffix "ago." If you want to show approximate seconds, minutes, hours, or days ago:
| eval reltime=now()-reltime, reltime=coalesce(case(reltime>=86400, floor(reltime/86400). " days", reltime<86400 AND reltime>=3600, floor(reltime/3600)." hours", reltime<3600 AND reltime>=60, floor(reltime/60)." minutes"), reltime." seconds")." ago"
