https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38819#M8850 <P>Still fighting this after looking at many examples. </P> <P>Data looks like this:<BR /> Kronos,Jun-12,100,Kronos,20120630010101<BR /> Kronos,May-12,100,Kronos,20120531010101<BR /> Kronos,Apr-12,98.484,Kronos,20120430010101<BR /> Fields are App,Month,Uptime,AppOwner,Date.</P> <P>This search results in alphabetical when using chart: index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Month<BR /> Same thing sindex=apps-monthly AND App="Kronos" |sort + _timestamp | chart avg(Uptime) by Month orting by _timestamp:<BR /><BR /> Not very familiar with eval but looking at examples, that may be what is necessary to get this chart to sort properly.<BR /><BR /> Can anyone save me some time here?</P> Sun, 19 Aug 2012 13:28:49 GMT bwindham 2012-08-19T13:28:49Z https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38819#M8850 <P>Still fighting this after looking at many examples. </P> <P>Data looks like this:<BR /> Kronos,Jun-12,100,Kronos,20120630010101<BR /> Kronos,May-12,100,Kronos,20120531010101<BR /> Kronos,Apr-12,98.484,Kronos,20120430010101<BR /> Fields are App,Month,Uptime,AppOwner,Date.</P> <P>This search results in alphabetical when using chart: index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Month<BR /> Same thing sindex=apps-monthly AND App="Kronos" |sort + _timestamp | chart avg(Uptime) by Month orting by _timestamp:<BR /><BR /> Not very familiar with eval but looking at examples, that may be what is necessary to get this chart to sort properly.<BR /><BR /> Can anyone save me some time here?</P> Sun, 19 Aug 2012 13:28:49 GMT https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38819#M8850 bwindham 2012-08-19T13:28:49Z https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38820#M8851 <P>Well your "Month" field is just a field containing text. There's no way for Splunk to know that this specific text corresponds to some number, like that May is month number 5, so the only valid way of sorting is alphabetically. What you need to do in order to have months ordered properly is to point Splunk at a field that contains their actual number equivalent. Since you have these events in Splunk I'm assuming you already have valid timestamps for these events from the Date field. You could sort by this field and then use <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat">fieldformat</A> to have it displayed with the month only (because it looks like you only have one event per month).</P> <PRE><CODE>index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=strftime(Date,"%b") </CODE></PRE> <P>Or because you already have the Month as a string in your event, just</P> <PRE><CODE>index=apps-monthly AND App="Kronos" | chart avg(Uptime) by Date | fieldformat Date=Month </CODE></PRE> <P>would do.</P> Sun, 19 Aug 2012 14:51:20 GMT https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38820#M8851 Ayn 2012-08-19T14:51:20Z https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38821#M8852 <P>You put me on the right track....Month was actually mmm-yy. Used this and it worked:</P> <P>index=apps-monthly AND App="Kronos" | chart avg(Uptime) by _time | fieldformat _time=strftime(_time,"%b-%y") | sort - _time<BR /> Thanks.</P> Mon, 28 Sep 2020 12:17:39 GMT https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38821#M8852 bwindham 2020-09-28T12:17:39Z https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38822#M8853 <P>Awesome. Could you please mark my answer as accepted? Thanks!</P> Mon, 20 Aug 2012 05:47:37 GMT https://community.splunk.com/t5/Splunk-Search/Chart-by-month-still-alphabetical/m-p/38822#M8853 Ayn 2012-08-20T05:47:37Z