I have the following search that returns a chart of response times for web pages by GET and POST.
index=iis_PRODUCT | regex cs_method="(GET|POST)" | chart avg(time_taken) as response_time count(host) as hits by cs_uri_stem, cs_method | sort response_time
However, the sort command does not seem to work. Perhaps it's because the field names have the method appended to it? something like this.... hits:GET hits:POST. Not sure how to solve this.
You are indeed trying to sort by a column that does not exist at this time. I see two options:
First, you could pick one of the columns to sort by. Let's assume one of the response_time fields is called "response_time: GET":
search... | chart... | sort "response_time: GET"
Alternatively, if you cannot decide which response time field is the relevant one to search, you could summarize them into a helper field that then is used for sorting:
search... | chart... | addtotals fieldname=temp_sort response_time* | sort temp_sort
You are indeed trying to sort by a column that does not exist at this time. I see two options:
First, you could pick one of the columns to sort by. Let's assume one of the response_time fields is called "response_time: GET":
search... | chart... | sort "response_time: GET"
Alternatively, if you cannot decide which response time field is the relevant one to search, you could summarize them into a helper field that then is used for sorting:
search... | chart... | addtotals fieldname=temp_sort response_time* | sort temp_sort
Very nice.. I think I will use the addtotals option. Thanks!