topic Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour? in Splunk Search

How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter — Mon, 08 Aug 2016 19:43:50 GMT

Here is the data when sorted recent first....

11:25:22
11:25:23
11:25:51
11:25:52
11:25:53
11:5:37
11:5:38
11:5:42
11:6:2
11:6:5
11:6:6

Any ideas?

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter — Mon, 08 Aug 2016 19:47:02 GMT

....|eval Time=date_hour.":".date_minute.":".date_second  | eval Date = date_wday."  ".date_month."/".date_mday."/".date_year 
|stats list(message_subject) as subj list(sender) as sender list(recipient) as recp list(file_name) as AttachmentName list(attachment_type) as AttachmentType list(vendor_action) as status values(Time) as Time values(Date) as Date by internal_message_id ....

This is a sample of the code I use to get the events with time and date...

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

richgalloway — Mon, 08 Aug 2016 20:46:57 GMT

Try this

.... | eval Time=strftime(strptime(date_hour.":".date_minute.":".date_second,"%H:%M:%S"),"%H:%M:%S) | ...

It should normalize Time to use 2-digit minute and second fields (hour, too). Then the events will sort properly.

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter — Mon, 08 Aug 2016 20:52:05 GMT

Thank you Rick!!! Do you also have the date cure too? So that days and months are in the proper chronological order.

Thanks again

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

richgalloway — Mon, 08 Aug 2016 21:06:58 GMT

Date is similar.

... | eval Date=strftime(strptime(date_wday."  ".date_month."/".date_mday."/".date_year, "%a %m/%d/%Y"),"%a %m/%d/%Y") | ...

I suspect, however, there's a better way using _time to get the events in order. Depends on what you're trying to do.

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter — Mon, 08 Aug 2016 21:39:27 GMT

agreed, I am sure there is a better way but this should get the answers I need today...
Thank you

Re: How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter — Mon, 15 Aug 2016 15:26:17 GMT

|eval Time=strftime(_time, "%H:%M:%S") | eval Date=strftime(_time, "%A %F")

This works too

Thanks!