All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: sorting by date timestamp not working as expec...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ebailey
Communicator
12-18-2014
06:03 AM
I am working with the lastlog script in the nix TA. The output is not in order like it would be if I just ran the last command from the CLI so I am trying to sort the output by date of last login to make it useful but I am not having much luck.
index=os sourcetype=lastlog host=test | multikv | dedup LATEST | table LATEST | sort LATEST
Aug 27 19:05:48 2014
Aug 29 23:12:12 2013
Aug 7 12:10:25 2014
Aug 9 07:04:39 2013
Dec 12 00:17:34 2014
Dec 17 07:39:17 2014
Dec 17 09:24:28 2014
Any ideas?
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente
Motivator
12-18-2014
08:09 AM
Hello
In your example, LATEST is a text, so when you sort it, it´s beign sort lexicographically. You should need to convert that timestamp to epoch, sort it, and then convert it back to human readable format. Something like:
index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")
Didn´t test it, so maybe there is something missing, but the general idea should do it
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente
Motivator
12-18-2014
08:09 AM
Hello
In your example, LATEST is a text, so when you sort it, it´s beign sort lexicographically. You should need to convert that timestamp to epoch, sort it, and then convert it back to human readable format. Something like:
index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")
Didn´t test it, so maybe there is something missing, but the general idea should do it
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ebaileytu
Communicator
01-05-2015
02:55 PM
That is it - just add a = to the last eval
index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")
Thanks!
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
