https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614529#M213580 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/189747">@klischatb</a>&nbsp;<BR /><BR />Please try like ,<BR /><BR />What ever the time you wanna sort, just Convert that time into "<STRONG>epoch",</STRONG><BR />then you Can Sort that new field Consists of epoch time.&nbsp;<BR /><BR />Thankyou.</P> Mon, 26 Sep 2022 10:30:44 GMT vinod743374 2022-09-26T10:30:44Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614494#M213569 <P>Hello everyone!<BR /><BR />i have the following search:<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="xyz" "restart" | eval _time = strftime(_time,"%F %H:%M:%S") | stats count as "count_of_starts" values(_time) as "restart_time" by host</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR />now i get a table with the "host" "count_of_starts" "restart_time", but the time inside values is ordered like:</P> <DIV class="">2022-09-22 12:19:22</DIV> <DIV class="">2022-09-22 12:19:46</DIV> <DIV class="">2022-09-22 15:02:12</DIV> <DIV class="">2022-09-22 15:02:36</DIV> <DIV class="">2022-09-23 11:00:51</DIV> <DIV class="">2022-09-23 11:01:16</DIV> <DIV class="">2022-09-23 15:18:10</DIV> <DIV class="">2022-09-23 15:18:34</DIV> <DIV class="">2022-09-23 15:35:47</DIV> <DIV class="">2022-09-23 15:36:11</DIV> <DIV class="">2022-09-23 16:15:05</DIV> <DIV class="">2022-09-23 16:15:30</DIV> <DIV class="">2022-09-24 09:47:43</DIV> <DIV class="">2022-09-24 09:48:06</DIV> <P><BR />I need this results but in opposite order, how can i implement this?<BR /><BR />|sort - _time before or after stats doesn´t worked and | sort restart_time also didn´t affect the results.<BR /><BR />Thank you all in advance!<BR />Kind regards<BR />Ben<BR /><BR /></P> Mon, 26 Sep 2022 15:31:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614494#M213569 klischatb 2022-09-26T15:31:34Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614504#M213570 <P>Hi</P><P>as stats values creates a multivalve field for that restart_time you must use mvsort to this field.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/MultivalueEvalFunctions#mvsort.28X.29" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/MultivalueEvalFunctions#mvsort.28X.29</A></P><P>r. Ismo</P> Mon, 26 Sep 2022 08:14:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614504#M213570 isoutamo 2022-09-26T08:14:34Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614506#M213571 <P>If you are sure you want "restart_time" as a multivalue field, you can do</P><LI-CODE lang="markup">| eval i = mvrange(0, count_of_starts) | eval restart_time = mvmap(i, mvindex(resart_time, count_of_starts - i))</LI-CODE><P>&nbsp;</P> Mon, 26 Sep 2022 08:18:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614506#M213571 yuanliu 2022-09-26T08:18:39Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614529#M213580 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/189747">@klischatb</a>&nbsp;<BR /><BR />Please try like ,<BR /><BR />What ever the time you wanna sort, just Convert that time into "<STRONG>epoch",</STRONG><BR />then you Can Sort that new field Consists of epoch time.&nbsp;<BR /><BR />Thankyou.</P> Mon, 26 Sep 2022 10:30:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614529#M213580 vinod743374 2022-09-26T10:30:44Z https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614628#M213608 <P>Consider using list instead of values if appropriate. List will keep the original order of events returned.&nbsp;</P><P>index="xyz" "restart"<BR />| eval _time = strftime(_time,"%F %H:%M:%S")<BR />| stats count as "count_of_starts" <STRONG><FONT color="#FF0000">list(_time)</FONT></STRONG> as "restart_time" by host</P><P>The caveat of using list is that it does not dedup. If dupes are a problem, you can dedup after:</P><P>| eval restart_time=MVDEDUP(restart_time)<BR /><BR /></P><P>If your data is not chronologically sorted, you could add</P><P>| sort 0 -_time</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 26 Sep 2022 23:16:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-sort-values-time/m-p/614628#M213608 johnhuang 2022-09-26T23:16:35Z