https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461819#M6700 <P>@oscar84x :Base search | search feedback=Good | search "feedbackmessage"=* | table date , time , feedback feedbackmessage | sort - Date </P> <P><STRONG>Date time feedback feedbackmessage</STRONG><BR /> Wednesday December 4, 2019 8:24:37 AM Good hjsdn<BR /> Wednesday December 11, 2019 3:33:35 PM Good hduasjklk<BR /> Wednesaday December 4, 2019 12:05:30 PM Bad afstgahjd<BR /> Thursday December 5, 2019 7:53:29 PM IDEA qtdygwuhsk</P> <P>output shld be date &amp; time order in order like this </P> <P><STRONG>Wednesday December 4, 2019 8:24:37 AM<BR /> Wednesaday December 4, 2019 12:05:30 PM<BR /> Thursday December 5, 2019 7:53:29 PM<BR /> Wednesday December 11, 2019 3:33:35 PM</STRONG></P> Fri, 13 Dec 2019 17:08:40 GMT monipinni 2019-12-13T17:08:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461817#M6698 <P>Wednesday December 4, 2019 8:24:37 AM<BR /> Wednesday December 11, 2019 3:33:35 PM<BR /> Wednesaday December 4, 2019 12:05:30 PM<BR /> Thursday December 5, 2019 7:53:29 PM</P> <P>How to sort by date &amp; time as per calender? Tried sort - Date , -Time</P> <P>I am looking for output like </P> <P>Wednesday December 4, 2019 8:24:37 AM<BR /> Wednesaday December 4, 2019 12:05:30 PM<BR /> Thursday December 5, 2019 7:53:29 PM<BR /> Wednesday December 11, 2019 3:33:35 PM</P> Fri, 13 Dec 2019 16:36:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461817#M6698 monipinni 2019-12-13T16:36:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461818#M6699 <P>Can you share some more information? event samples and your query?<BR /> We'd need to see what fields you're working with.</P> Fri, 13 Dec 2019 16:51:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461818#M6699 oscar84x 2019-12-13T16:51:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461819#M6700 <P>@oscar84x :Base search | search feedback=Good | search "feedbackmessage"=* | table date , time , feedback feedbackmessage | sort - Date </P> <P><STRONG>Date time feedback feedbackmessage</STRONG><BR /> Wednesday December 4, 2019 8:24:37 AM Good hjsdn<BR /> Wednesday December 11, 2019 3:33:35 PM Good hduasjklk<BR /> Wednesaday December 4, 2019 12:05:30 PM Bad afstgahjd<BR /> Thursday December 5, 2019 7:53:29 PM IDEA qtdygwuhsk</P> <P>output shld be date &amp; time order in order like this </P> <P><STRONG>Wednesday December 4, 2019 8:24:37 AM<BR /> Wednesaday December 4, 2019 12:05:30 PM<BR /> Thursday December 5, 2019 7:53:29 PM<BR /> Wednesday December 11, 2019 3:33:35 PM</STRONG></P> Fri, 13 Dec 2019 17:08:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461819#M6700 monipinni 2019-12-13T17:08:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461820#M6701 <P>You can create a date sort field, use it for sorting, and then throw it away:</P> <PRE><CODE>| makeresults | eval date="Wednesday December 4, 2019" | eval time="8:24:37 AM" | eval feedback="Good" | eval feedbackmessage="hsjdn" | eval dateTime=date." ".time | rex field=dateTime mode=sed "s/\w+\s(.*)/\1/g" | eval dateSort=strptime(dateTime,"%b %d, %Y %I:%M:%S %p") | sort dateSort | fields - dateSort </CODE></PRE> Fri, 13 Dec 2019 18:03:50 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461820#M6701 jpolvino 2019-12-13T18:03:50Z https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461821#M6702 <P>Date strings are sorted in ASCII order, not date order. The solution is to parse the dates into a separate field for sorting.</P> <PRE><CODE>Base search | search feedback=Good | search "feedbackmessage"=* | eval epoch=sprptime(Date, "%A %B %d, %Y %I:%M:%S %p") | sort + epoch | table Date, time, feedback, feebackmessage </CODE></PRE> Fri, 13 Dec 2019 18:03:55 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/sort-by-Date-Time/m-p/461821#M6702 richgalloway 2019-12-13T18:03:55Z