Solved: Sort column headers in timechart - customize

martin86 · ‎07-02-2021

Hi,

I would like to ask you, of there is some possibility order column based on requirement.

Case:

<search>
|eval lower_raw = lower(_raw) 
|rex field=lower_raw "^.*d=(?<opentask>[0-9]+).*" 
|rex field=lower_raw "^.*pm\s(?<trace>[0-9a-z-]+).*" 
|rex field=lower_raw "^.*taskid=(?<opentask>[0-9]+).*" 
|rex field=lower_raw "^.*uuid=(?<trace>[0-9a-z-]+).*" 
| eval task=opentask ."_".trace 
| transaction task
| eval timedelay=case(duration>=0 AND duration<2,"1 sec",duration>=2 AND duration<6,"2-5 sec",duration>=6 AND duration<11,"6-10 sec",duration>=11,"11 and more sec",1=1,"error") 
| timechart span=10m count avg(duration) as avg  by timedelay 
| sort by _time timedelay desc

I would like to have sorted by group (count event) and AVG duration

I mean, first column time (ok now)

second will be "count: 1sec"

third: "avg: 1sec"

forth: "count: 2-5sec"

fifth: "avg: 2-5sec"

etc.

Current it looks like this

which is not nice

expectation:

Thank you

kamlesh_vaghela · ‎07-02-2021

@martin86

I suggest to use table command to rearrange the columns.

Like

| timechart span=10m count avg(duration) as avg  by timedelay 
| sort by _time timedelay desc
|table LIST OF COLUMNS YOU NEED

KV

View solution in original post

martin86 · ‎07-02-2021

@kamlesh_vaghela

Thank you, it works

kamlesh_vaghela · ‎07-02-2021

@martin86

I suggest to use table command to rearrange the columns.

Like

| timechart span=10m count avg(duration) as avg  by timedelay 
| sort by _time timedelay desc
|table LIST OF COLUMNS YOU NEED

KV

Sort column headers in timechart - customize

timechart

transaction

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation