Sort a date in string format.

abhishekroy168 · ‎03-06-2018

hi
My requirement is to create a graph for incident vs time and sort them according to my field opened_at.
But while sorting what i observe is it sorts only by one thing,either year or month or date.
So now i have dates as Mar 2015,Feb,2018,Feb 2015,March 2016.
I want the sorted form as Mar 2015,Feb,2015,March 2016, Feb 2018.

Thank you

somesoni2 · ‎03-07-2018

Move your time formatting after the stats command

Replace

... | eval time=strftime(time,"%b %Y") | stats  count(number) by time

With

... | stats  count(number) by time | eval time=strftime(time,"%b %Y")

The time was in epoch format, so it'll sort correctly. You can just format it to user friendly after stats so sorting is maintained. With strftime invoke earlier, the timestamp is converted to string and sorting is done alphabetically not chronologically.

abhishekroy168 · ‎03-13-2018

hey somesoni2
Thanks for replying my query.
I had already tried the solution which you gave ... | stats count(number) by time | eval time=strftime(time,"%b %Y")
issue with this is the incidents gets grouped by day not month.
Like earlier all the incidents for a given month were in same bar but now there are individual bars for every day.
I need to group it by months.

Sort a date in string format.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life