Solved: How can I sort time inside list(time)?

limalbert · ‎10-26-2017

So, I regex time from my splunk logs in form of (HH:MM:SS), and I am trying to build the report like

index: something
| regex Time
| regex Date
| regex User
| stats list( (regex)Time) by (regex)Date, (regex)User

Unfortunately, the list of (regex)Time is not showing up in orderly manner. How can I make this ordering in ascending manner?

Thanks in advance!

alemarzu · ‎10-26-2017

@limalbert

Try with ... | sort - <your time field>

View solution in original post

alemarzu · ‎10-26-2017

@limalbert

Try with ... | sort - <your time field>

limalbert · ‎10-26-2017

Sorry. This actually works, but the data has to be sorted prior putting it inside the list. So, I have to use the sort prior stats like below.

| sort - currentTime
| stats list( (regex)Time) by (regex)Date, (regex)User

limalbert · ‎10-26-2017

This doesn't work to sort data inside list. I tried.

limalbert · ‎10-26-2017

This doesn't work. I use it like below.

| stats list( (regex)Time) as theTime by (regex)Date, (regex)User
| sort - theTime

The output is still looking like below.

23:53:33
23:39:16
23:53:59
23:53:48
23:57:35
23:41:45
23:40:22
23:59:17
23:47:51
23:40:05
23:39:44
23:39:28
23:41:26
23:47:28
23:59:36
23:48:10
23:40:38
23:53:23
23:53:09

How can I sort time inside list(time)?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation