Column1 | Day1 | Day 2 |
--------- | Shift1 | Shift2 | Shift1 | Shift2 |
ABCD | X | N | Y | X |
XYZA | X | N | Y | N |
BCDE | X | N | Y | N |
@Rajkumarkbm2 for the table columns to be sorted the way you want you would need to have both Day and Shift together. Table will not have two headers so you might have to have two separate tables (one with only header column and second with the details). For keeping the sort of column you might need to have JavaScript code as well. Could you share the query you have right now?
Following is the easiest way have both field names merged as one with spaces between the two field names. Please try the following run any where search based on Splunk's _internal index which plots the count of components by key field combining date_mday
and log_level
field (with values ERROR
and WARN
)
index=_internal sourcetype=splunkd log_level!=INFO earliest=-7d@d latest=now
| eval key=date_mday." :".log_level
| chart count by component key useother=f limit=15
| head 5