Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sort my search events by week?

ronniemakhombi
Explorer
‎12-17-2018 01:32 AM

I am new to Splunk. I am having a problem sorting my search results by week. I tried using the following dates as my earliest and latest dates as: 

| earliest="08/06/2018" latest="30/06/2018"

The following is a snippet for my events.

DATE,Number,Count,Amount
08/06/2018,267774,1,5
08/06/2018,267721,1,5
30/06/2018,2677759,1,5

Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 05:10 AM

Hi Renjith. The following is the output I received from

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

I want to sort them as Week 1, Week 2, Week 3, Week 4

Preview file
7 KB
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 06:24 AM

@ronniemakhombi,
Alright.
Try

"your current search"|sort week_1|streamstats count as _rowno|eval week_1="Week"._rowno
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 02:28 AM

Hi
renjith, Kindly explain ( strptime(DATE,"%d/%m/%Y"),"%V"). i used it as | eval week_1=strftime( strptime(DATE,"08/06/2018"),"%V")

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 02:35 AM

strptime(DATE,"%d/%m/%Y") converts your DATE to an epoch time. Lets assume the field as e
strftime(e,"%V") extracts the week number from that.

So it can be splitted into two steps as well

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

Hope that helps

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 04:35 AM

It worked thanx! It grouped my search results into 4. For the future, using

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

How can I have the results displaying week 1, week 2, week 3 and week 4.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 04:39 AM

Hows your output looks like now? Are there only 4 rows and the count is per week and sorted?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 06:16 AM

There are 4 rows and the count. These rows are as 23, 24, 25, 26 (These are not sorted), however, the count is sorted.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...