topic Re: Sort fields by date in Splunk Search

Sort fields by date

baranova — Tue, 27 May 2014 14:42:41 GMT

Hello There ,

Basically I have some dates in this format :

01/13 700
02/13 600
...
01/14 500

I use these fields for a chart

I wanna sort them in calendar order but I get

01/14 531
02/14 513
03/14 545
04/13 145
04/14 94
05/13 198
06/13 14
07/13 143
08/13 1234
09/13 899
10/13 508
11/13 33

Could you Help me ?

Re: Sort fields by date

dwaddle — Tue, 27 May 2014 14:48:17 GMT

Splunk's sort is lexicographical. Your data as-is won't sort right using a lexicographical approach. Let's borrow a pattern from Python (who borrowed it from lisp), Decorate-Sort-Undecorate

| rex field=datefield "(?<temp_mon>\d\d)/(?<temp_year>\d\d)"
| sort temp_year, temp_mon
| fields -temp_year,temp_mon

We add two new fields that sort in the right order, do the sort, then throw away the temporary fields. Result is data sorted like you wanted.

Re: Sort fields by date

baranova — Tue, 27 May 2014 14:56:56 GMT

Hello dwaddle and thanks for your quick answer. Works like a charm!