Solved: sorting by date timestamp not working as expected

ebailey · ‎12-18-2014

I am working with the lastlog script in the nix TA. The output is not in order like it would be if I just ran the last command from the CLI so I am trying to sort the output by date of last login to make it useful but I am not having much luck.

index=os sourcetype=lastlog host=test | multikv | dedup LATEST | table LATEST | sort LATEST

Aug 27 19:05:48 2014
Aug 29 23:12:12 2013
Aug 7 12:10:25 2014
Aug 9 07:04:39 2013
Dec 12 00:17:34 2014
Dec 17 07:39:17 2014
Dec 17 09:24:28 2014

Any ideas?

Thanks!

gfuente · ‎12-18-2014

Hello

In your example, LATEST is a text, so when you sort it, it´s beign sort lexicographically. You should need to convert that timestamp to epoch, sort it, and then convert it back to human readable format. Something like:

index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")

Didn´t test it, so maybe there is something missing, but the general idea should do it

Regards

View solution in original post

gfuente · ‎12-18-2014

Hello

In your example, LATEST is a text, so when you sort it, it´s beign sort lexicographically. You should need to convert that timestamp to epoch, sort it, and then convert it back to human readable format. Something like:

index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")

Didn´t test it, so maybe there is something missing, but the general idea should do it

Regards

ebaileytu · ‎01-05-2015

That is it - just add a = to the last eval

Thanks!

sorting by date timestamp not working as expected

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update