Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to arrange column sequentially by month?

patricianaguit
Explorer
‎12-26-2017 07:08 PM

I'm having a trouble arranging my columns per month.
I want it to the be arranged like this:
|Sept-15-2017| |Sept-30-2017| |Sept-2017| |Oct-15-2017| |Oct-30-2017||Oct-2017|

Is there a way where i can arrange the columns like the example above?

Tags (2)
Preview file
1 KB
0 Karma
Reply

nikita_p
Contributor
‎12-26-2017 10:45 PM

Hi @patricianaguit,
Can you use sort command before your table command
...| sort output| table output,Target,Actuals,......

0 Karma
Reply

HiroshiSatoh
Champion
‎12-26-2017 08:36 PM

It seems that we have to define all the tables like this.

(your search)|table Sept-*-*,Sept-*,Oct-*-*,Oct-*
0 Karma
Reply

niketn
Legend
‎12-26-2017 08:21 PM

@patricianaguit, Can you add your current search which generates above table?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patricianaguit
Explorer
‎12-26-2017 09:17 PM

already included my current search!

0 Karma
Reply

niketn
Legend
‎12-27-2017 02:35 AM

@patricianaguit please use the code button (101010) for adding data and code so that special characters do not escape

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

patricianaguit
Explorer
‎12-26-2017 09:10 PM

this is my current search

index="acn_pmo_capacity_chargeability_idx"
| table *
| fields "Enterprise ID" "Employee Level" Date "TR Period" "Charge Code" "Charge Code Description" Hours
| fields - _raw _time
| eval Date=strptime(Date, "%m/%d/%Y"), Month=strftime(Date, "%b-%Y")
| sort Date
| eval Date=strftime(Date, "%m/%d/%Y")
| rename "Enterprise ID" AS EID, "TR Period" as TRPeriod
| eval date1 = strptime(TRPeriod, "%m/%d/%Y"), TRPeriod = strftime(date1, "%b-%d-%Y")
|eval output = Month + ";" + TRPeriod |
makemv delim=";" output
| mvexpand output
| sort "EID"
| lookup wbs_lookup "Charge Code" outputnew WBS
| where WBS = "Non-Chargeable" OR WBS = "Chargeable" OR WBS = "Training"
| stats sum(eval(case(WBS == "Chargeable", Hours, 1=1,null()))) as TotalChargeableHours, sum(Hours) as TotalHours by EID, output
| fillnull value=0.00
| eval Chargeability = round((TotalChargeableHours / TotalHours) * 100, 2)
| sort EID
| fillnull value=0.00
| fields EID, output, Chargeability
| xyseries output EID Chargeability
| fields - _timediff
| table output, *
| transpose 0 header_field=output
| appendpipe [stats avg(*) as * | foreach * [eval "<>"=round('<>', 2)] | eval column="Actuals"]
| untable column output Chargeability
| rename column AS EID
| xyseries output EID Chargeability
| eval Target = "70%"
| table output, Target, Actuals, *
| eval date = strptime(output, "%b-%d-%Y")
| sort date
| fields - date, _timediff
| table output, Target, Actuals, *
| transpose 0 header_field=output
| fillnull value=0.00
| rename column as EID
| lookup Roster_lookup.csv EID outputnew "Career Level"
| table EID "Career Level" *
| transpose 0 header_field=EID
| eval getmonth=strptime(column,"%b-%e-%Y")
| fillnull value=0.00
| sort getmonth
| fields - getmonth
| transpose 0 header_field=column
| rename column AS EID
| eval "Career Level"=if(EID="Target" OR EID="Actuals", "", 'Career Level')

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...