Hi,
I have a timechart result with two columns as shown in the 1st screenshot.
Hour column contain a count for each hour. I want to rearrange this table as shown in the "result" screenshot
To be explicit on the bin, you could replace your timechart command with:
| bin _time span=1h
| stats count by _time
Either way, after this calculate the day and hour values, and then populate a table:
| eval day=strftime(_time, "%m/%d/%Y")
| eval hour=strftime(_time, "%H:%M")
| maketable hour day count
add this end of your quer..
| transpose header_field=day
| fields - column
To be explicit on the bin, you could replace your timechart command with:
| bin _time span=1h
| stats count by _time
Either way, after this calculate the day and hour values, and then populate a table:
| eval day=strftime(_time, "%m/%d/%Y")
| eval hour=strftime(_time, "%H:%M")
| maketable hour day count