Getting Data In

How to edit my search to sort by month in chronological order?

demkic
Explorer

I have the following search, and it is currently displaying a graph grouped by day of the month but not in chronological order.

base query |bucket _time span=1d | eval day=strftime(_time,"%b %d, %y") | stats count as total by day | streamstats avg(total) | sort -day

How can I tweak this to add in the x-axis the months going from Dec 1, 16; Dec 2, 16 ..... Jan 1, 17; Jan 2, 17; .... Feb .... Mar.
It is currently displaying, December, Feb, Jan, Mar (in alphabetical order).

Thank you

Best,

0 Karma
1 Solution

rjthibod
Champion

You have to change the order of things. Do the strftime statement after the sortand some other minor things.

base query 
| bucket _time span=1d 
| stats count as total by _time 
| streamstats avg(total) 
| sort -_time
| eval day=strftime(_time,"%b %d, %y") 
| table day total avg(total)

View solution in original post

0 Karma

DalJeanis
Legend

Just as a general strategy, it would be good to train your users to read "2017-01-31", which means your data will always sort in the correct order.

0 Karma

rjthibod
Champion

You have to change the order of things. Do the strftime statement after the sortand some other minor things.

base query 
| bucket _time span=1d 
| stats count as total by _time 
| streamstats avg(total) 
| sort -_time
| eval day=strftime(_time,"%b %d, %y") 
| table day total avg(total)
0 Karma

abhishekroy168
Path Finder

I downvoted this post because doesnt works.

0 Karma

rjthibod
Champion

Can you clarify what doesn't work or share more details about your search? My token example works fine for me.

index= _internal earliest=-30d
 | fields _time
 | bucket _time span=1d 
 | stats count as total by _time 
 | streamstats avg(total) 
 | sort -_time
 | eval day=strftime(_time,"%b %d, %y") 
 | table day total avg(total)

day| total | avg(total)
Mar 05, 18|3349|85247.33333333333
Mar 03, 18|4107|101627
Feb 18, 18|66397|126007
Feb 17, 18|227887|145877
Feb 16, 18|171441|104872
Feb 15, 18|38303|38303

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...