Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I sort my search events by week?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am new to Splunk. I am having a problem sorting my search results by week. I tried using the following dates as my earliest and latest dates as:
| earliest="08/06/2018" latest="30/06/2018"
The following is a snippet for my events.
DATE,Number,Count,Amount
08/06/2018,267774,1,5
08/06/2018,267721,1,5
30/06/2018,2677759,1,5
Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ronniemakhombi,
Try using the week number in the sorting
your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ronniemakhombi,
Try using the week number in the sorting
your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ronniemakhombi,
Alright.
Try
"your current search"|sort week_1|streamstats count as _rowno|eval week_1="Week"._rowno
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
renjith, Kindly explain ( strptime(DATE,"%d/%m/%Y"),"%V"). i used it as | eval week_1=strftime( strptime(DATE,"08/06/2018"),"%V")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strptime(DATE,"%d/%m/%Y") converts your DATE to an epoch time. Lets assume the field as e
strftime(e,"%V") extracts the week number from that.
So it can be splitted into two steps as well
|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")
Hope that helps
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked thanx! It grouped my search results into 4. For the future, using
|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")
How can I have the results displaying week 1, week 2, week 3 and week 4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hows your output looks like now? Are there only 4 rows and the count is per week and sorted?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are 4 rows and the count. These rows are as 23, 24, 25, 26 (These are not sorted), however, the count is sorted.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
