https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46295#M2282 <P>Hello!</P> <P>Im trying to sort a field based on the timestamp.</P> <P>This is my current search command</P> <PRE><CODE>sourcetype=log | eval date_readable=date_mday." ".date_month | stats count by date_readable </CODE></PRE> <P>Using this search command, I'm able to produce the following graph in my dashboard.<BR /> Graph: <A href="http://i40.tinypic.com/2ai0zzn.png">http://i40.tinypic.com/2ai0zzn.png</A></P> <P>However, the date is not sort in a correct sequence. Is there anyway for me to sort the <EM>date_readable</EM> field according to timestamp?</P> <P>Thanks!</P> Mon, 26 Aug 2013 14:16:16 GMT Zyon 2013-08-26T14:16:16Z https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46295#M2282 <P>Hello!</P> <P>Im trying to sort a field based on the timestamp.</P> <P>This is my current search command</P> <PRE><CODE>sourcetype=log | eval date_readable=date_mday." ".date_month | stats count by date_readable </CODE></PRE> <P>Using this search command, I'm able to produce the following graph in my dashboard.<BR /> Graph: <A href="http://i40.tinypic.com/2ai0zzn.png">http://i40.tinypic.com/2ai0zzn.png</A></P> <P>However, the date is not sort in a correct sequence. Is there anyway for me to sort the <EM>date_readable</EM> field according to timestamp?</P> <P>Thanks!</P> Mon, 26 Aug 2013 14:16:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46295#M2282 Zyon 2013-08-26T14:16:16Z https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46296#M2283 <P>Well, from what it looks like in the picture, it is sorted on <CODE>date_readable</CODE>. Unfortunately for you, <CODE>date_readable</CODE> has no special meaning to Splunk - it's just a string.</P> <P>I'd suggest that you do the following instead;</P> <PRE><CODE>sourcetype=log | timechart span=1d count </CODE></PRE> <P>That will sort it automatically.</P> <HR /> <P>UPDATE:</P> <P>linu1988 has a point here - there is a difference between <CODE>_time</CODE> and the <CODE>date_*</CODE> fields. In your original search query, you used the <CODE>date_*</CODE> fields, but the <CODE>timechart</CODE> approach I suggested uses <CODE>_time</CODE>.</P> <P>See lguinns excellent explanation here;</P> <P><A href="http://answers.splunk.com/answers/99451/variance-betweeen-_time-and-date_-fields"></A><A href="http://answers.splunk.com/answers/99451/variance-betweeen-" target="test_blank">http://answers.splunk.com/answers/99451/variance-betweeen-</A><EM>time-and-date</EM>-fields</P> <P>/K</P> Mon, 26 Aug 2013 14:43:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46296#M2283 kristian_kolb 2013-08-26T14:43:38Z https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46297#M2284 <P>because it's still a string not a date.</P> <P>Convert into time using strftime()/ convert then do a sort then chart...</P> Mon, 26 Aug 2013 14:56:09 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46297#M2284 linu1988 2013-08-26T14:56:09Z https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46298#M2285 <P>If the eventtime is matching with the log time, if not _time needs to assigned from logs then chart...</P> Mon, 26 Aug 2013 14:57:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46298#M2285 linu1988 2013-08-26T14:57:12Z https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46299#M2286 <P>sourcetype=log | timechart span=1d count works for me! Thanks a lot! (:</P> Mon, 26 Aug 2013 15:00:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Sorting-of-Fields-base-on-Timestamp/m-p/46299#M2286 Zyon 2013-08-26T15:00:39Z