Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting of Fields base on Timestamp

Zyon
Engager
‎08-26-2013 07:16 AM

Hello!

Im trying to sort a field based on the timestamp.

This is my current search command

sourcetype=log | eval date_readable=date_mday." ".date_month | stats count by date_readable

Using this search command, I'm able to produce the following graph in my dashboard.
Graph: http://i40.tinypic.com/2ai0zzn.png

However, the date is not sort in a correct sequence. Is there anyway for me to sort the date_readable field according to timestamp?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-26-2013 07:43 AM

Well, from what it looks like in the picture, it is sorted on date_readable. Unfortunately for you, date_readable has no special meaning to Splunk - it's just a string.

I'd suggest that you do the following instead;

sourcetype=log | timechart span=1d count

That will sort it automatically.

UPDATE:

linu1988 has a point here - there is a difference between _time and the date_* fields. In your original search query, you used the date_* fields, but the timechart approach I suggested uses _time.

See lguinns excellent explanation here;

http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields

/K

View solution in original post

Reply
Solved! Jump to solution

linu1988
Champion
‎08-26-2013 07:56 AM

because it's still a string not a date.

Convert into time using strftime()/ convert then do a sort then chart...

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-26-2013 07:43 AM

Well, from what it looks like in the picture, it is sorted on date_readable. Unfortunately for you, date_readable has no special meaning to Splunk - it's just a string.

I'd suggest that you do the following instead;

sourcetype=log | timechart span=1d count

That will sort it automatically.

UPDATE:

linu1988 has a point here - there is a difference between _time and the date_* fields. In your original search query, you used the date_* fields, but the timechart approach I suggested uses _time.

See lguinns excellent explanation here;

http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields

/K

Reply
Solved! Jump to solution

Zyon
Engager
‎08-26-2013 08:00 AM

sourcetype=log | timechart span=1d count works for me! Thanks a lot! (:

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎08-26-2013 07:57 AM

If the eventtime is matching with the log time, if not _time needs to assigned from logs then chart...

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...