https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482695#M135201 <P>It is sorting correctly based upon the lexicographic ordering.</P> <P>If you want to sort by a section of the string, in this case the year, then you have a couple options:</P> <OL> <LI>Change the format of your field values so that the year is first. For example, 2019-06-16 will come before 2020-01-12. You can use something like <CODE>| eval Time=strftime(your_field,"%Y-%m-%d")</CODE></LI> <LI>Keep the current field format as-is, create a sorting field called something like dateSort which has the format in the previous item, sort by that, then remove the dateSort field.</LI> </OL> Mon, 13 Jan 2020 19:35:11 GMT jpolvino 2020-01-13T19:35:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482694#M135200 <P>1/5/2020<BR /> 1/12/2020<BR /> 6/16/2019<BR /> 6/23/2019<BR /> 6/30/2019<BR /> 7/7/2019<BR /> 7/14/2019<BR /> 7/21/2019<BR /> 7/28/2019<BR /> 8/4/2019<BR /> 8/11/2019<BR /> 8/18/2019<BR /> 8/25/2019<BR /> 9/1/2019<BR /> 9/8/2019<BR /> 9/15/2019<BR /> 9/22/2019<BR /> 9/29/2019<BR /> 10/6/2019<BR /> 10/13/2019<BR /> 10/20/2019<BR /> 10/27/2019<BR /> 11/3/2019<BR /> 11/10/2019<BR /> 11/17/2019<BR /> 11/24/2019<BR /> 12/1/2019<BR /> 12/8/2019<BR /> 12/15/2019<BR /> 12/22/2019<BR /> 12/29/2019</P> <P>Any solution ?</P> Mon, 13 Jan 2020 18:51:07 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482694#M135200 reverse 2020-01-13T18:51:07Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482695#M135201 <P>It is sorting correctly based upon the lexicographic ordering.</P> <P>If you want to sort by a section of the string, in this case the year, then you have a couple options:</P> <OL> <LI>Change the format of your field values so that the year is first. For example, 2019-06-16 will come before 2020-01-12. You can use something like <CODE>| eval Time=strftime(your_field,"%Y-%m-%d")</CODE></LI> <LI>Keep the current field format as-is, create a sorting field called something like dateSort which has the format in the previous item, sort by that, then remove the dateSort field.</LI> </OL> Mon, 13 Jan 2020 19:35:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482695#M135201 jpolvino 2020-01-13T19:35:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482696#M135202 <P>thanks .. how can I create a sorting field called something like dateSort which has the format in the previous item, sort by that, then remove the dateSort field.?</P> Mon, 13 Jan 2020 20:24:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482696#M135202 reverse 2020-01-13T20:24:23Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482697#M135203 <P>Here is one way to do it:</P> <PRE><CODE>| makeresults | eval dateList="1/5/2020 1/12/2020 6/16/2019 6/23/2019 6/30/2019 7/7/2019" | eval dateList=split(dateList," ") | mvexpand dateList | fields - _time | eval dateSort=strftime(strptime(dateList,"%m/%d/%Y"),"%Y-%m-%d") | sort + dateSort | fields - dateSort </CODE></PRE> Mon, 13 Jan 2020 20:32:30 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482697#M135203 jpolvino 2020-01-13T20:32:30Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482698#M135204 <P><CODE>... | eval datasort = strptime(your_field, "%m/%d/%Y")<BR /> | sort datasort<BR /> | fields - datasort<BR /> | ...</CODE></P> Mon, 13 Jan 2020 20:33:49 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482698#M135204 richgalloway 2020-01-13T20:33:49Z https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482699#M135205 <P>@richgalloway made a good point, my 4th line has an unnecessary strftime that was used for visualization purposes. You could easily just use this: <CODE>| eval dateSort=strptime(dateList,"%m/%d/%Y")</CODE></P> Mon, 13 Jan 2020 20:43:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-not-sorting-Dates-properly-across-year/m-p/482699#M135205 jpolvino 2020-01-13T20:43:18Z