Hi everyone,
I hope you can help.
I have the following search:
index=rb_idx_default_summary (report=EXCHANGE_Mailboxuser OR report=ESA_textmail) (NumberResourceMailBoxes=* OR NumberSharedMailBoxes=* OR NumberUserMailBoxes=* OR NumberAntivirusPositive=*) | eval MAXNumberResourceMailBoxes=max(NumberResourceMailBoxes) | eval MAXSharedMailBoxes=max(NumberSharedMailBoxes) | eval MAXNumberUserMailBoxes=max(NumberUserMailBoxes) | eval MAXNumberAntivirusPositive=max(NumberAntivirusPositive) | timechart span=1mon max(NumberResourceMailBoxes) max(NumberSharedMailBoxes) | eval timeprevmonth=strftime(_time,"%Y-%m") | table timeprevmonth, max(NumberResourceMailBoxes), max(NumberSharedMailBoxes) | rename max(NumberResourceMailBoxes) AS "Resource MailBoxes", max(NumberSharedMailBoxes) AS "Number of Shared Mailboxes" | transpose
so, and it gives me the following result:
column | row 1
timeprevmonth | 2017-07
Resource MailBoxes | 123
Number of Shared Mailboxes | 456
But I want to have the time also in the first column and not as a row.
Is there another option besides transpose to have the search result in one column? I want to have it like this all in one search result (and there will be other sources included):
2017-07 | Resource MailBoxes | 123
2017-07 | Number of Shared Mailboxes | 456
2017-07 | Number of ValueXY | 789
2017-07 | Number of ValueABC | 101112
thanks, Lisi
... View more