Hi,
I would like to ask you, of there is some possibility order column based on requirement.
Case:
<search>
|eval lower_raw = lower(_raw)
|rex field=lower_raw "^.*d=(?<opentask>[0-9]+).*"
|rex field=lower_raw "^.*pm\s(?<trace>[0-9a-z-]+).*"
|rex field=lower_raw "^.*taskid=(?<opentask>[0-9]+).*"
|rex field=lower_raw "^.*uuid=(?<trace>[0-9a-z-]+).*"
| eval task=opentask ."_".trace
| transaction task
| eval timedelay=case(duration>=0 AND duration<2,"1 sec",duration>=2 AND duration<6,"2-5 sec",duration>=6 AND duration<11,"6-10 sec",duration>=11,"11 and more sec",1=1,"error")
| timechart span=10m count avg(duration) as avg by timedelay
| sort by _time timedelay desc
I would like to have sorted by group (count event) and AVG duration
I mean, first column time (ok now)
second will be "count: 1sec"
third: "avg: 1sec"
forth: "count: 2-5sec"
fifth: "avg: 2-5sec"
etc.
Current it looks like this
which is not nice
expectation:
Thank you
I suggest to use table command to rearrange the columns.
Like
| timechart span=10m count avg(duration) as avg by timedelay
| sort by _time timedelay desc
|table LIST OF COLUMNS YOU NEED
KV
I suggest to use table command to rearrange the columns.
Like
| timechart span=10m count avg(duration) as avg by timedelay
| sort by _time timedelay desc
|table LIST OF COLUMNS YOU NEED
KV