topic Re: help on date field sorting in Splunk Search

help on date field sorting

jip31 — Thu, 15 Apr 2021 15:08:51 GMT

the field dv_sys_created_on is a field date

index="tutu" sourcetype="toto" | stats last(dv_sys_created_on) as Opened by ticket_id

i tried to sort it like this but it doesnt works

| eval time = strftime(dv_sys_created_on, "%d-%m-%y %H:%M") | sort - dv_sys_created_on

could you help please??

Re: help on date field sorting

scelikok — Thu, 15 Apr 2021 15:25:57 GMT

Hi @jip31,

You are loosing the dv_sys_created_on field on stats command, you can sort like below;

index="tutu" sourcetype="toto" | stats last(dv_sys_created_on) as Opened by ticket_id | sort - Opened

Or if date field is string below should work better; assuming your date format is "%d-%m-%y %H:%M"

index="tutu" sourcetype="toto" | stats last(dv_sys_created_on) as Opened by ticket_id | eval time = strptime(Opened, "%d-%m-%y %H:%M") | sort - time

Re: help on date field sorting

ITWhisperer — Thu, 15 Apr 2021 15:30:19 GMT

What does "the field dv_sys_created_on is a field date" mean? Is it a string in a particular format representing a date? If so, you need to parse the string (the p in strptime means parse, the f in strftime means format) into an epoch datetime (a number) which you can then sort on (strptime, string to number; strftime, number to string)

| eval time = strptime(dv_sys_created_on, "%d-%m-%y %H:%M") | sort - time