Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to order columns based on month name - chronological

sangs8788
Communicator
‎05-19-2020 05:25 AM

Hi,

I have a written query which would result the details grouped by Month and ordered in the Month manner.
Since I using xfields to process one of the columns, the query doesnt return the value in the Month ordered. 

 source=detailed |convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency  | eval Month = case(Month==01, "Jan", Month==02, "Feb", Month==3, "Mar", Month==4, "Apr", Month==5, "May", Month==6, "Jun", Month==7, "Jul", Month==8, "Aug", Month==9, "Sep", Month==10, "Oct", Month==11, "Nov", Month==12, "Dec")  
| sort Year, Month |eval Month=Month + "-" + Year 
| eval xfields='CONTENT_PARTY_NAME'+":"+'DOCUMENT_TYPE'
| chart P90(P90_E2E_Latency) as E2E_Latency by  Month, xfields useother=f limit=10000
| transpose 20 header_field=Month, column_name=xfields
| rex field=xfields "(?<CONTENT_PARTY_NAME>.+):(?<DOCUMENT_TYPE>.+)"
| fields - xfields
| table CONTENT_PARTY_NAME, DOCUMENT_TYPE, *

Using table or fields doesnt display the columns in chronological order. Rather it displays the columns as CONTENT_PARTY_NAME, DOCUMENT_TYPE, APRIL-2020, FEB-2020 etc.
alt text
How do i display the result as CONTENT_PARTY_NAME, DOCUMENT_TYPE, JAN-2020, FEB-2020 etc. Chronological order. I dont want to manually specify the column names. Please advise.

Thanks

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 11:31 PM 
source=detailed
|convert dur2sec(P90_E2E_Latency) as P90_E2E_Latency
| bin _time span=1month
| stats p90(P90_E2E_Latency) as E2E_Latency by _time CONTENT_PARTY_NAME DOCUMENT_TYPE
| rename COMMENT as "this is enough to display graph"
| rename COMMENT as "this is extra step, I think"
| eval tmp=CONTENT_PARTY_NAME.":".DOCUMENT_TYPE
| eval _time = strftime(_time,"%b-%Y")
| xyseries tmp _time E2E_Latency
| eval CONTENT_PARTY_NAME=mvindex(split(tmp,":"),0), DOCUMENT_TYPE=mvindex(split(tmp,":"),1)
| table CONTENT_PARTY_NAME DOCUMENT_TYPE [| tstats count where source=detailed by _time span=1month
| eval _time =strftime(_time,"%b-%Y")
| stats list(_time) as time
| eval search=mvjoin(time,",")
| fields search]

How about this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2020 05:54 AM

I'm not sure what you want the end results to be, but perhaps | table CONTENT_PARTY_NAME, DOCUMENT_TYPE, * will do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sangs8788
Communicator
‎05-19-2020 10:15 PM

table wouldnt work. because the column gets displayed in as April-2020, Feb-2020 etc. I want the columns to be ordered in chronological order.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...