Hi,
I have a search table that aims to show the inflow of tickets for a time range.
Here is what it looks like...
Hour | Apr-18 | Apr-19 | Aug-18 | Dec-18
0:00 2 3 5 3
1:00 2 13 2 1
Here is the search for this table...
index=_internal
| bin _time span=1h
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| stats count(ticketNumber) as inflow values(hour) as hour values(monthYear) as monthYear by _time
| chart limit=0 sum(inflow) as inflow over hour by monthYear
I want to sort my columns by date, (Apr-18, Aug-18, Dec-18, Apr-19). I cannot use "fields ..." because the user is free to input the time range that the table will display.
Any help would be appreciated. Thank you.
I solved it by appending a "-01" on monthYear and then transposing the chart.
index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| transpose 0 column_name="Time" header_field="monthYear"
| search NOT Time = "date*"
I solved it by appending a "-01" on monthYear and then transposing the chart.
index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| transpose 0 column_name="Time" header_field="monthYear"
| search NOT Time = "date*"