https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335945#M5049 <P>@cmerriman, I think you will need to create fields like "01-January" etc to ensure 10 , 11 and 12 do not come after "1-January" after sort, since it will not be <STRONG>| sort num(date_month)</STRONG></P> Fri, 28 Jul 2017 09:08:20 GMT niketn 2017-07-28T09:08:20Z https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335943#M5047 <P>I have a graph of percentages by region by month: <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3278i78C406F98C073605/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>However, the months are not displaying in the correct chronological order. Splunk is not recognizing my date_month field as containing time.</P> <P>I need to change something with strptime or strftime, but I'm not exactly sure what.</P> <P>Here is the code:</P> <PRE><CODE>index=webex_sentiment | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") | eval Country=upper(Country) | lookup CountryDetails Country OUTPUT Region | stats count(Rating) as NumberRatings by date_month Rating Region | eventstats sum(NumberRatings) as TotalRatings by date_month Region | eval PercentageRatings=round(NumberRatings/TotalRatings,3) | where Rating=1 OR Rating=2 | chart sum(PercentageRatings) as NegativeSentiment by date_month Region </CODE></PRE> <P>Please advise</P> Thu, 27 Jul 2017 20:34:23 GMT https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335943#M5047 mhtedford 2017-07-27T20:34:23Z https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335944#M5048 <P>Splunk always displays that as alphanumeric. you need to write an eval to sort it properly. try something like this<BR /> EDIT:</P> <PRE><CODE> index=webex_sentiment | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") | eval Country=upper(Country) | lookup CountryDetails Country OUTPUT Region | stats count(Rating) as NumberRatings by date_month Rating Region | eventstats sum(NumberRatings) as TotalRatings by date_month Region | eval PercentageRatings=round(NumberRatings/TotalRatings,3) | where Rating=1 OR Rating=2 |eval monthNum=case(date_month="january",1,date_month="february",2,date_month="march",3,date_month="april",4,date_month="may",5, date_month="june",6,date_month="july",7,date_month="august",8,date_month="september",9,date_month="october",10,date_month="november",11, date_month="december",12) | chart sum(PercentageRatings) as NegativeSentiment by monthNum Region |sort 0 monthNum |eval Month=case(monthNum=1,"January",monthNum=2,"February",monthNum=3,"March",monthNum=4,"April",monthNum=5,"May", monthNum=6,"June",monthNum=7,"July",monthNum=8,"August",monthNum=9,"September",monthNum=10,"October",monthNum=11,"November", monthNum=12,"December")|fields - monthNum </CODE></PRE> <P>ORIGINAL:</P> <PRE><CODE>index=webex_sentiment | eval surveyDate=strptime(Started,"%m/%d/%Y %H:%M") | eval Country=upper(Country) | lookup CountryDetails Country OUTPUT Region | stats count(Rating) as NumberRatings by date_month Rating Region | eventstats sum(NumberRatings) as TotalRatings by date_month Region | eval PercentageRatings=round(NumberRatings/TotalRatings,3) | where Rating=1 OR Rating=2 |eval date_month=case(date_month="january","1-January",date_month="february","2-February",date_month="march","3-March",date_month="april","4-April",date_month="may","5-May",date_month="june","6-June",date_month="july","7-July",date_month="august","8-August",date_month="september","9-September",date_month="october","10-October",date_month="november","11-November",date_month="december","12-December") | chart sum(PercentageRatings) as NegativeSentiment by date_month Region |sort 0 date_month |rex field=date_month "-(?&lt;date_month&gt;\w+)" </CODE></PRE> Thu, 27 Jul 2017 20:39:47 GMT https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335944#M5048 cmerriman 2017-07-27T20:39:47Z https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335945#M5049 <P>@cmerriman, I think you will need to create fields like "01-January" etc to ensure 10 , 11 and 12 do not come after "1-January" after sort, since it will not be <STRONG>| sort num(date_month)</STRONG></P> Fri, 28 Jul 2017 09:08:20 GMT https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335945#M5049 niketn 2017-07-28T09:08:20Z https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335946#M5050 <P>good catch! i even mentioned alphanumeric and then i go ahead and create an alphanumeric field! silly me. </P> Fri, 28 Jul 2017 11:59:16 GMT https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335946#M5050 cmerriman 2017-07-28T11:59:16Z https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335947#M5051 <P>Could it be significantly simplified if you use, to derive the date category information "01-January", some variation of ...</P> <PRE><CODE>... | eval date_month=strftime(_time, "%m-%B") ... </CODE></PRE> <P>See this run-anywhere example:</P> <PRE><CODE>| makeresults | eval date_month=strftime(_time, "%m-%B") </CODE></PRE> <P>Which gives you a <CODE>date_month</CODE> equal to, right now, <CODE>07-July</CODE>.</P> <P>Refer to <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Commontimeformatvariables">Splunk date and time format variables</A>)</P> Fri, 28 Jul 2017 13:51:46 GMT https://community.splunk.com/t5/Splunk-Dev/Display-Graph-Fields-in-Chronological-Order/m-p/335947#M5051 Richfez 2017-07-28T13:51:46Z