How to format output of a query

sudeep5689 · ‎05-29-2020

I have a query with time range earliest=-2mon@mon latest=-1mon@mon . Now can i store the result as the month name which comes between earliest and latest ? E.g., for above example its should be March

493669 · ‎05-29-2020

Try below to capital first letter of month

... | eval date_month = upper(substr(date_month,1,1)).substr(date_month,2)

sudeep5689 · ‎05-29-2020

Ok 1 more issue that o/p shows April first and then March, is there a way to show March first and then April. This o/p is coming from two queries appended together. My objective is to show a month wise comparison starting from March to April etc. and so on

493669 · ‎05-30-2020

you may try-

|sort 0 - date_month

OR

|sort 0 - _time

493669 · ‎05-29-2020

@sudeep5689 since date_month field is coming in your data it should have your expected month value

sudeep5689 · ‎05-29-2020

Yes thats worked but its showing the month name as march, april. Can we format it to show as April and March. Please add your solution as the answer

493669 · ‎05-29-2020

date_month field should not show comma separeted values it will either show march or april but not both as comma separeted . can you share any screen shot what you are getting in date_month field.

sudeep5689 · ‎05-29-2020

Its coming fine . Just its like there are two rows coming as april and march. I want to show them like April March, first letter in caps

How to format output of a query

Other

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]