Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to arrange column sequentially by month?

patricianaguit
Explorer
‎12-26-2017 07:08 PM

I'm having a trouble arranging my columns per month.
I want it to the be arranged like this:
|Sept-15-2017| |Sept-30-2017| |Sept-2017| |Oct-15-2017| |Oct-30-2017||Oct-2017|

Is there a way where i can arrange the columns like the example above?

Tags (2)
Preview file
1 KB
0 Karma
Reply

nikita_p
Contributor
‎12-26-2017 10:45 PM

Hi @patricianaguit,
Can you use sort command before your table command
...| sort output| table output,Target,Actuals,......

0 Karma
Reply

HiroshiSatoh
Champion
‎12-26-2017 08:36 PM

It seems that we have to define all the tables like this.

(your search)|table Sept-*-*,Sept-*,Oct-*-*,Oct-*
0 Karma
Reply

niketn
Legend
‎12-26-2017 08:21 PM

@patricianaguit, Can you add your current search which generates above table?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patricianaguit
Explorer
‎12-26-2017 09:17 PM

already included my current search!

0 Karma
Reply

niketn
Legend
‎12-27-2017 02:35 AM

@patricianaguit please use the code button (101010) for adding data and code so that special characters do not escape

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patricianaguit
Explorer
‎12-26-2017 09:10 PM

this is my current search

index="acn_pmo_capacity_chargeability_idx"
| table *
| fields "Enterprise ID" "Employee Level" Date "TR Period" "Charge Code" "Charge Code Description" Hours
| fields - _raw _time
| eval Date=strptime(Date, "%m/%d/%Y"), Month=strftime(Date, "%b-%Y")
| sort Date
| eval Date=strftime(Date, "%m/%d/%Y")
| rename "Enterprise ID" AS EID, "TR Period" as TRPeriod
| eval date1 = strptime(TRPeriod, "%m/%d/%Y"), TRPeriod = strftime(date1, "%b-%d-%Y")
|eval output = Month + ";" + TRPeriod |
makemv delim=";" output
| mvexpand output
| sort "EID"
| lookup wbs_lookup "Charge Code" outputnew WBS
| where WBS = "Non-Chargeable" OR WBS = "Chargeable" OR WBS = "Training"
| stats sum(eval(case(WBS == "Chargeable", Hours, 1=1,null()))) as TotalChargeableHours, sum(Hours) as TotalHours by EID, output
| fillnull value=0.00
| eval Chargeability = round((TotalChargeableHours / TotalHours) * 100, 2)
| sort EID
| fillnull value=0.00
| fields EID, output, Chargeability
| xyseries output EID Chargeability
| fields - _timediff
| table output, *
| transpose 0 header_field=output
| appendpipe [stats avg(*) as * | foreach * [eval "<>"=round('<>', 2)] | eval column="Actuals"]
| untable column output Chargeability
| rename column AS EID
| xyseries output EID Chargeability
| eval Target = "70%"
| table output, Target, Actuals, *
| eval date = strptime(output, "%b-%d-%Y")
| sort date
| fields - date, _timediff
| table output, Target, Actuals, *
| transpose 0 header_field=output
| fillnull value=0.00
| rename column as EID
| lookup Roster_lookup.csv EID outputnew "Career Level"
| table EID "Career Level" *
| transpose 0 header_field=EID
| eval getmonth=strptime(column,"%b-%e-%Y")
| fillnull value=0.00
| sort getmonth
| fields - getmonth
| transpose 0 header_field=column
| rename column AS EID
| eval "Career Level"=if(EID="Target" OR EID="Actuals", "", 'Career Level')

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...