I have framed this sample data from real data. Instead of actual service name (in read data), i have given Alphabets (sample data here).
All the fields are sorted individually. I mean, Time is sorted, Services is sorted, Status is sorted, Response time also sorted.
But i want to display the data in tabular format as it is.
Input:
STARTS **
Time=2019-Jul-11 13:21:51#Service=B#ReponseTime=300#Status=Pass
Time=2019-Jul-11 13:21:57#Service=C#ReponseTime=200#Status=Pass
Time=2019-Jul-11 13:22:09#Service=A#ReponseTime=100#Status=Pass
ENDS **#2019-Jul-11 13:22:09#Pass
index="aaa" host="ccc"| transaction startswith="STARTS" endswith="ENDS"| search TimeStamp="2019-Jul-11 13:22:09"
| rex field=_raw "^(?[\d\w\s:-]+)#(?\w+)#(?\w+)#(?\w+)"
| table Time, Service, ResponseTime, Status
Expected output
Time|Service|ResponseTime|Status
2019-Jul-11 13:21:51|B|300|Pass
2019-Jul-11 13:21:57|C|200|Pass
2019-Jul-11 13:22:09|A|100|Pass
Actual Output
Time|Service|ResponseTime|Status
2019-Jul-11 13:21:51|A|100|Pass
2019-Jul-11 13:21:57|B|200|
2019-Jul-11 13:22:09|C|300|
... View more