Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sort my search events by week?

ronniemakhombi
Explorer
‎12-17-2018 01:32 AM

I am new to Splunk. I am having a problem sorting my search results by week. I tried using the following dates as my earliest and latest dates as: 

| earliest="08/06/2018" latest="30/06/2018"

The following is a snippet for my events.

DATE,Number,Count,Amount
08/06/2018,267774,1,5
08/06/2018,267721,1,5
30/06/2018,2677759,1,5

Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 05:10 AM

Hi Renjith. The following is the output I received from

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

I want to sort them as Week 1, Week 2, Week 3, Week 4

Preview file
7 KB
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 06:24 AM

@ronniemakhombi,
Alright.
Try

"your current search"|sort week_1|streamstats count as _rowno|eval week_1="Week"._rowno
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 02:28 AM

Hi
renjith, Kindly explain ( strptime(DATE,"%d/%m/%Y"),"%V"). i used it as | eval week_1=strftime( strptime(DATE,"08/06/2018"),"%V")

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 02:35 AM

strptime(DATE,"%d/%m/%Y") converts your DATE to an epoch time. Lets assume the field as e
strftime(e,"%V") extracts the week number from that.

So it can be splitted into two steps as well

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

Hope that helps

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 04:35 AM

It worked thanx! It grouped my search results into 4. For the future, using

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

How can I have the results displaying week 1, week 2, week 3 and week 4.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 04:39 AM

Hows your output looks like now? Are there only 4 rows and the count is per week and sorted?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 06:16 AM

There are 4 rows and the count. These rows are as 23, 24, 25, 26 (These are not sorted), however, the count is sorted.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...