I have two "Survey Type" - 'a' and 'b' and I need to display their count based on the"Survey Complete" data.
Note - The Survey Complete date is in the format MM/DD/YYYY HH:MM format but I need to display it as MM-YYYY format . How do I reframe the below query to get the expected output mentioned above.
index="xyz"
| eval FIELD=strptime("Survey Complete","%m/%d/%Y %H:%M")
| eval DesiredTime=strftime(FIELD,"%Y-%m-%d")
| chart count over "Survey Complete" by "Survey Type"
You don't say what unexpected output you get, but your query doesn't match your question so that could be it.
Try this:
index="xyz"
| eval FIELD=strptime("Survey Complete","%m/%d/%Y %H:%M")
| eval DesiredTime=strftime(FIELD,"%m-%Y")
| chart count over "Survey Complete" by "Survey Type"
You can also use a single eval
:
index="xyz"
| eval DesiredTime=strftime(strptime("Survey Complete","%m/%d/%Y %H:%M"), "%m-%Y)
| chart count over "Survey Complete" by "Survey Type"