https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321509#M96062 <P>So, I have this search on events that cover from the 28th of February to the 6th of March, 2018:</P> <P><PRE>Some basic search<BR /> | eval customer_id = substr(host,2,5)<BR /> | eval session_duration = stop_time - start_time<BR /> | eval start_date = strftime(start_time,"%d/%m/%y %H:%M:%S")<BR /> | convert rmunit(session_duration) as numSecs<BR /> | eval stringSecs=tostring(numSecs,"duration")<BR /> | table customer_id, start_date, task_id, host_ip, from_user, stringSecs <BR /> | sort by start_time d<BR /> | rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration" </PRE></P> <P>Which is creating the perfect "starting" table I want, with the more recent data at the top, up until I click on the table header to modify the date.</P> <P><STRONG>Ascending:</STRONG> (expecting 28/02/18)<BR /> <IMG src="https://community.splunk.com/storage/temp/230639-splunk-date1.png" alt="alt text" /></P> <P><STRONG>Descending:</STRONG> (expecting 06/03/18) <BR /> <IMG src="https://community.splunk.com/storage/temp/230640-splunk-date2.png" alt="alt text" /></P> <P>From what I understand, even if I specified the European time format in the search, the interactive table sorting is based on alphanumerical order.</P> <P>One quick fix would be to use the ISO format (YYYY-MM-DD) (for which I am opting right now), but what if the end user want absolutely to have dd/mm/yy and be able to click on the header to change the order?<BR /> Is there an option to change this behavior?</P> <P>Thanks in advance.</P> <P></P> Tue, 29 Sep 2020 18:15:23 GMT jwillaime 2020-09-29T18:15:23Z https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321509#M96062 <P>So, I have this search on events that cover from the 28th of February to the 6th of March, 2018:</P> <P><PRE>Some basic search<BR /> | eval customer_id = substr(host,2,5)<BR /> | eval session_duration = stop_time - start_time<BR /> | eval start_date = strftime(start_time,"%d/%m/%y %H:%M:%S")<BR /> | convert rmunit(session_duration) as numSecs<BR /> | eval stringSecs=tostring(numSecs,"duration")<BR /> | table customer_id, start_date, task_id, host_ip, from_user, stringSecs <BR /> | sort by start_time d<BR /> | rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration" </PRE></P> <P>Which is creating the perfect "starting" table I want, with the more recent data at the top, up until I click on the table header to modify the date.</P> <P><STRONG>Ascending:</STRONG> (expecting 28/02/18)<BR /> <IMG src="https://community.splunk.com/storage/temp/230639-splunk-date1.png" alt="alt text" /></P> <P><STRONG>Descending:</STRONG> (expecting 06/03/18) <BR /> <IMG src="https://community.splunk.com/storage/temp/230640-splunk-date2.png" alt="alt text" /></P> <P>From what I understand, even if I specified the European time format in the search, the interactive table sorting is based on alphanumerical order.</P> <P>One quick fix would be to use the ISO format (YYYY-MM-DD) (for which I am opting right now), but what if the end user want absolutely to have dd/mm/yy and be able to click on the header to change the order?<BR /> Is there an option to change this behavior?</P> <P>Thanks in advance.</P> <P></P> Tue, 29 Sep 2020 18:15:23 GMT https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321509#M96062 jwillaime 2020-09-29T18:15:23Z https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321510#M96063 <P>okay if <CODE>YYYY-MM-DD</CODE> format is fixing your issue then do that and if the end user want absolutely to have <CODE>dd/mm/yy</CODE> then you can try converting the time format after the sort </P> <PRE><CODE>Some basic search | eval customer_id = substr(host,2,5) | eval session_duration = stop_time - start_time | eval start_date = strftime(start_time,"%Y-%m-%d %H:%M:%S") | convert rmunit(session_duration) as numSecs | eval stringSecs=tostring(numSecs,"duration") | table customer_id, start_date, task_id, host_ip, from_user, stringSecs | sort by start_date | eval start_date=strftime(strptime(start_date,"%Y-%m-%d %H:%M:%S"),"%d/%m/%y %H:%M:%S") | rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration" </CODE></PRE> <P>OR<BR /> You can use another method (bit complex but useful ) in which you need to sort date year month individually along with the entire time format and then remove unnecessary fields .<BR /> Refer this answer<BR /> <A href="https://answers.splunk.com/answers/624327/how-to-arrange-by-monthyear-chronological-order.html#comment-624330">https://answers.splunk.com/answers/624327/how-to-arrange-by-monthyear-chronological-order.html#comment-624330</A></P> <P>let me know if this helps!</P> Wed, 07 Mar 2018 13:45:02 GMT https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321510#M96063 mayurr98 2018-03-07T13:45:02Z https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321511#M96064 <P>I would say to sort them first by and then do the eval to change the format.</P> Wed, 07 Mar 2018 16:28:28 GMT https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321511#M96064 kollachandra 2018-03-07T16:28:28Z https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321512#M96065 <P>Your first proposition has the same unwanted behavior. I'll take a look to the link you shared.</P> Thu, 08 Mar 2018 07:48:43 GMT https://community.splunk.com/t5/Splunk-Search/Time-format-and-table-sorting-issues/m-p/321512#M96065 jwillaime 2018-03-08T07:48:43Z