Solved: How can I sort time inside list(time)?

limalbert · ‎10-26-2017

So, I regex time from my splunk logs in form of (HH:MM:SS), and I am trying to build the report like

index: something
| regex Time
| regex Date
| regex User
| stats list( (regex)Time) by (regex)Date, (regex)User

Unfortunately, the list of (regex)Time is not showing up in orderly manner. How can I make this ordering in ascending manner?

Thanks in advance!

alemarzu · ‎10-26-2017

@limalbert

Try with ... | sort - <your time field>

View solution in original post

alemarzu · ‎10-26-2017

@limalbert

Try with ... | sort - <your time field>

limalbert · ‎10-26-2017

Sorry. This actually works, but the data has to be sorted prior putting it inside the list. So, I have to use the sort prior stats like below.

| sort - currentTime
| stats list( (regex)Time) by (regex)Date, (regex)User

limalbert · ‎10-26-2017

This doesn't work to sort data inside list. I tried.

limalbert · ‎10-26-2017

This doesn't work. I use it like below.

| stats list( (regex)Time) as theTime by (regex)Date, (regex)User
| sort - theTime

The output is still looking like below.

23:53:33
23:39:16
23:53:59
23:53:48
23:57:35
23:41:45
23:40:22
23:59:17
23:47:51
23:40:05
23:39:44
23:39:28
23:41:26
23:47:28
23:59:36
23:48:10
23:40:38
23:53:23
23:53:09

How can I sort time inside list(time)?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life