https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118804#M31794 <P>No <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> .....</P> Thu, 03 Apr 2014 14:08:57 GMT dsmeerkat 2014-04-03T14:08:57Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118796#M31786 <P>Okay so I missing something...</P> <P>Here's my searches:</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false | fieldformat Total=round(Total, 2) |rename auto_generated_pool_enterprise AS Total | tscollect namespace=License_Daily_Usage_7d keepresults=true </CODE></PRE> <P>AND</P> <PRE><CODE>| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date | rename values(Total) AS Total_GB | convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | table Date, Total_GB </CODE></PRE> <P>And when the show up in the dashboard they are not being sorted by "Date" correctly...its doing:</P> <P>Fri, 03/28/14 943.270143<BR /><BR /> Mon, 03/31/14 900.663402<BR /><BR /> Sat, 03/29/14 836.616432<BR /><BR /> Sun, 03/30/14 779.676332<BR /><BR /> Thu, 03/27/14 487.159979<BR /><BR /> Thu, 04/03/14 514.808743<BR /><BR /> Tue, 04/01/14 965.568267<BR /><BR /> Wed, 04/02/14 1031.553619 </P> <P>I've tried sorting by everything I can think of and it just won't sort by %m/%d/%y </P> Thu, 03 Apr 2014 13:28:48 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118796#M31786 dsmeerkat 2014-04-03T13:28:48Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118797#M31787 <P>Hello,<BR /> Add a dummy column and do the sort and hide it</P> <PRE><CODE>| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date | rename values(Total) AS Total_GB |convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date|eval a=strptime(Date,"%a, %m/%d/%y") | table Date, Total_GB,a| sort a | fields - a </CODE></PRE> <P>Thanks</P> Thu, 03 Apr 2014 13:43:26 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118797#M31787 linu1988 2014-04-03T13:43:26Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118798#M31788 <P>You second search (tstats) is not retrieving field _time.</P> Thu, 03 Apr 2014 13:46:13 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118798#M31788 somesoni2 2014-04-03T13:46:13Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118799#M31789 <P>Thanks for the response but its still not working....</P> Thu, 03 Apr 2014 13:50:19 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118799#M31789 dsmeerkat 2014-04-03T13:50:19Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118800#M31790 <P>Thanks for the response but its still not working....</P> Thu, 03 Apr 2014 13:50:35 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118800#M31790 dsmeerkat 2014-04-03T13:50:35Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118801#M31791 <P>Try now, i didn't include the field in table column. This happens due to the date field not being actual date field rather a string..</P> Thu, 03 Apr 2014 13:51:38 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118801#M31791 linu1988 2014-04-03T13:51:38Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118802#M31792 <P>Still no luck <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 03 Apr 2014 13:59:28 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118802#M31792 dsmeerkat 2014-04-03T13:59:28Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118803#M31793 <P>if you keep the field _time, does it sort?</P> Thu, 03 Apr 2014 14:07:48 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118803#M31793 aelliott 2014-04-03T14:07:48Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118804#M31794 <P>No <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> .....</P> Thu, 03 Apr 2014 14:08:57 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118804#M31794 dsmeerkat 2014-04-03T14:08:57Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118805#M31795 <P>try </P> <P>|eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | table MyDate, Total_GB</P> Thu, 03 Apr 2014 14:12:55 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118805#M31795 aelliott 2014-04-03T14:12:55Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118806#M31796 <P>Okay now check the edited one?</P> Thu, 03 Apr 2014 14:13:44 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118806#M31796 linu1988 2014-04-03T14:13:44Z https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118807#M31797 <PRE><CODE>index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false |convert ctime(_time) AS Time | tscollect namespace=License_Daily_Usage_7d keepresults=true | tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date | rename values(Total) AS Total_GB | convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | convert timeformat="%a, %m/%d/%y" ctime(_time) AS Date| table Date, Total_GB </CODE></PRE> <P>Works like a charm!</P> Thu, 03 Apr 2014 16:05:44 GMT https://community.splunk.com/t5/Splunk-Search/Sorting-Date/m-p/118807#M31797 dsmeerkat 2014-04-03T16:05:44Z