I'm trying to make a table of bookings from the whole 2019, my search is working as expected except for one column.
I've made a deep search and tried with convert, rename and eval functions but none of them are working for me (at least the way I'm using them).
This is my search and the result of my table:
index=myIndex host=myHost confirmationNumber step_code="'BOOKING_DONE'" earliest=01/01/2019:00:00:00 latest=12/31/2019:00:00:00 | spath | timechart span=1mon count by Resort limit=0 | addtotals | addcoltotals | eval Month=strptime(_time,"%M") | table _time, 'BBO', 'BNG', 'BRP', 'BTC', 'INN', 'NGA', 'SAT', 'SBD', 'SBR', 'SEB', 'SGL', 'SGO', 'SHC', 'SLS', 'SLU', 'SMB', 'SNG', 'SRB', 'SRC', 'SWH', Total | rename _time AS Month
PD: Also trying to add a label to the last empty row and change it's name to "Total per Resort"
1 Solution
You're a very nice gentlemen my friend!
Issue is fixed
I just have one more issue, when I try to rename my column header, it converts it again to an Epoch time, this is my new modified search with your solution:
index=myIndex host=myHost confirmationNumber step_code="'BOOKING_DONE'" earliest=01/01/2019:00:00:00 latest=12/31/2019:00:00:00 | spath | timechart span=1mon count by Resort limit=0 | addtotals | addcoltotals | table _time, 'BBO', 'BNG', 'BRP', 'BTC', 'INN', 'NGA', 'SAT', 'SBD', 'SBR', 'SEB', 'SGL', 'SGO', 'SHC', 'SLS', 'SLU', 'SMB', 'SNG', 'SRB', 'SRC', 'SWH', Total | fieldformat _time=strftime(_time, "%B %Y") | rename _time AS "Month"
