https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352741#M104416 <P>Good to know, to me join on same index and then xyseries along with two times transpose seemed excessive effort <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> So wanted to see if what is the output you wanted and whether there was any other way. In any case do post your final query which fixed the issue and accept the same as answer. This will mark your question as answered and also help the community.</P> Fri, 02 Feb 2018 09:55:07 GMT niketn 2018-02-02T09:55:07Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352737#M104412 <P>I don't know what's wrong with my code. I cannot sort the date using sort. <BR /> Below is my code. I need to sort it by Date. </P> <PRE><CODE>index="sharepoint_capacity" | fields - _raw | fields "Resource Name" "Capacity End Date" "Capacity Start Date" EID FTE "Project Name" ID | stats count by "Resource Name" FTE "Project Name" | rename FTE as Allocation | join [search index="sharepoint_capacity" |eval epoch_end=strptime('Capacity End Date',"%m/%d/%Y"), epoch_start=strptime('Capacity Start Date',"%m/%d/%Y"), between=mvrange(epoch_start,epoch_end,"1d") | mvexpand between | eval _time=between | stats values(FTE) as alloc by "Resource Name" FTE "Project Name" _time | eval months=strftime(_time,"%B %d %Y") | xyseries "Resource Name" months alloc | transpose 0 header_field="Resource Name" | rename column as Month | eval getmonth=strptime(Month,"%B %d %Y") | sort getmonth | transpose 0 header_field=Month | rename column as "Resource Name"] | fields - count </CODE></PRE> Thu, 01 Feb 2018 09:19:35 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352737#M104412 katrinamara 2018-02-01T09:19:35Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352738#M104413 <P>You are sorting in the subsearch not in den main search, try an do the sort in the main search.<BR /> To get a formated search in Splunk&gt; just hit Ctrl+F in the inputbox for formatting.</P> <PRE><CODE>index="sharepoint_capacity" | fields - _raw | fields "Resource Name" "Capacity End Date" "Capacity Start Date" EID FTE "Project Name" ID | stats count by "Resource Name" FTE "Project Name" | rename FTE as Allocation | join [ search index="sharepoint_capacity" | eval epoch_end=strptime('Capacity End Date',"%m/%d/%Y"), epoch_start=strptime('Capacity Start Date',"%m/%d/%Y"), between=mvrange(epoch_start,epoch_end,"1d") | mvexpand between | eval _time=between | stats values(FTE) as alloc by "Resource Name" FTE "Project Name" _time | eval months=strftime(_time,"%B %d %Y") | xyseries "Resource Name" months alloc | transpose 0 header_field="Resource Name" | rename column as Month | eval getmonth=strptime(Month,"%B %d %Y") | transpose 0 header_field=Month | rename column as "Resource Name"] | sort getmonth | fields - count </CODE></PRE> Fri, 02 Feb 2018 09:28:41 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352738#M104413 Elsurion 2018-02-02T09:28:41Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352739#M104414 <P>@katrinamara do you mind sharing some mocked up sample events and also the current output vs desired output?</P> Fri, 02 Feb 2018 09:39:08 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352739#M104414 niketn 2018-02-02T09:39:08Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352740#M104415 <P>Hi, already done resolving this issue. thanks!</P> Fri, 02 Feb 2018 09:41:16 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352740#M104415 katrinamara 2018-02-02T09:41:16Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352741#M104416 <P>Good to know, to me join on same index and then xyseries along with two times transpose seemed excessive effort <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> So wanted to see if what is the output you wanted and whether there was any other way. In any case do post your final query which fixed the issue and accept the same as answer. This will mark your question as answered and also help the community.</P> Fri, 02 Feb 2018 09:55:07 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352741#M104416 niketn 2018-02-02T09:55:07Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352742#M104417 <P>Here's my final query which fixed my issue. </P> <PRE><CODE>index="sharepoint_capacity" | fields - _raw | fields "Resource Name" "Capacity End Date" "Capacity Start Date" EID FTE "Project Name" ID | stats count by "Resource Name" FTE "Project Name" | rename FTE as Allocation | join [search index="sharepoint_capacity" |eval epoch_end=strptime('Capacity End Date',"%m/%d/%Y"), epoch_start=strptime('Capacity Start Date',"%m/%d/%Y"), between=mvrange(epoch_start,epoch_end,"1d") | mvexpand between | eval _time=between | stats values(FTE) as alloc by "Resource Name" FTE "Project Name" _time | eval months=strftime(_time,"%B %d %Y") | xyseries "Resource Name" months alloc] | fields - count | transpose 0 | eval column1=column, getmonth=strptime(column1,"%B %d %Y") | fillnull value=1 getmonth | sort getmonth | fields - column1 getmonth | transpose 0 header_field=column | fields - column | sort "Resource Name" </CODE></PRE> Fri, 02 Feb 2018 09:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352742#M104417 katrinamara 2018-02-02T09:57:41Z https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352743#M104418 <P>@katrinamara if your problem is resolved, please accept an answer to help future readers.</P> Fri, 02 Feb 2018 12:41:45 GMT https://community.splunk.com/t5/Splunk-Search/Sort-Date-in-header/m-p/352743#M104418 richgalloway 2018-02-02T12:41:45Z