Solved: How to modify my search to sort date values in ord...

lchin · ‎09-26-2016

Hello, Splunk rookie here,

I have a field in my data set that shows a date (ie. 06/26/2016) which I have used to populate a checkbox form. Here is my search string:

index="cleanout_dash2" sourcetype="csv" ACTUAL_CO_DATE=*  | dedup ACTUAL_CO_DATE

I use the dedup command to get only unique values however those values appear in a random order. I have tried adding the sort command with no success. May I have the wrong syntax.

Thanks,

Lonnie

somesoni2 · ‎09-26-2016

This should do it. Right now doing sorting in ascending order. Change | sort sortfield with | sort -sortfield if you want descending order.

index="cleanout_dash2" sourcetype="csv" ACTUAL_CO_DATE=*  | dedup ACTUAL_CO_DATE | eval sortfield=strptime(ACTUAL_CO_DATE,"%m/%d/%Y") | sort sortfield | table ACTUAL_CO_DATE

View solution in original post

somesoni2 · ‎09-26-2016

This should do it. Right now doing sorting in ascending order. Change | sort sortfield with | sort -sortfield if you want descending order.

index="cleanout_dash2" sourcetype="csv" ACTUAL_CO_DATE=*  | dedup ACTUAL_CO_DATE | eval sortfield=strptime(ACTUAL_CO_DATE,"%m/%d/%Y") | sort sortfield | table ACTUAL_CO_DATE

lchin · ‎09-26-2016

Thanks so much that worked perfectly. I was screwing up the syntax in the eval command.

How to modify my search to sort date values in order to populate a check box form?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?