topic Re: Date sorting in Splunk Search

Date sorting

ND — Thu, 05 Nov 2020 19:18:00 GMT

Hi,

I have below data:

Date:

Sep 2020

Aug 2018

Feb 2020

July 2017

Sep 2019

I want to sort the date by month and year

Like July 2017

Aug 2018

Sep 2019

Feb 2020

Sep 2020

I am using eval strftime function but ouput is coming as

Sep 2020

Sep 2019

Can someone please help me to fix this.

Thanks!!

Re: Date sorting

ITWhisperer — Thu, 05 Nov 2020 19:57:48 GMT

You need to parse the dates with strptime to get the equivalent epoch dates - this is a number. When you sort by this number the dates will be in the right order. You then convert them back to string format using strftime. If you do that with fieldformat, you don't change then value of the epoch date field, you just change how it is displayed. This may give you what you want.

Re: Date sorting

richgalloway — Thu, 05 Nov 2020 20:07:32 GMT

How exactly are you using the strptime function?

Sorting dates accurately into chronological order requires that they be converted into integer form. Otherwise, the dates are sorted lexicographically.

... | eval sortby = strptime (Date, "%b %Y") | sort + sortby | fields - sortby | table ...