Hello, I always have problems ordering my events after evaluating _time to something else. See this query for example:
| mybasesearch
| eval "Last seen"=strftime(_time, "%d/%m/%Y %H:%M")
| morequerytablestuff
| sort - _time
| fields - _time
Here I had to keep _time in my table, sort the events, and then remove the _time field from it.
Is there a better way of achieving this?
Don't do it that way, use fieldformat
like this:
mybasesearch
| rename _time AS "Last seen"
| fieldformat "Last seen"=strftime('Last seen', "%d/%m/%Y %H:%M")
| morequerytablestuff
| sort 0 - "Last seen"
Don't do it that way, use fieldformat
like this:
mybasesearch
| rename _time AS "Last seen"
| fieldformat "Last seen"=strftime('Last seen', "%d/%m/%Y %H:%M")
| morequerytablestuff
| sort 0 - "Last seen"
Hi,
you have to use "Last seen" for rest of your query and you are evaluating and assigning _time value to this variable
give |sort - "Last seen" | fields - "Last seen"
.
Thanks
Anantha.
Hello,
I know that. The thing is, when I sort by "Last seen", splunk does not recognize the field as a date field. So it sort it numerically as text string, then it does not respect the date order.
Hi @3DGjos,
your search seems to be correct, only one thing: don't use space between - and _time (that instead you have to use in fields command), so use something like this
mybasesearch
| eval "Last seen"=strftime(_time, "%d/%m/%Y %H:%M")
| morequerytablestuff
| sort -_time
| fields - _time
Then I have two questions:
Ciao.
Giuseppe
Hello,
yes i'm passing the _time values in my stats command, and passed all the fields from the base search.
the problem is, that splunk does not recognize the "last seen" field as a date field.
Hi @3DGjos,
infact "last seen" field is a string that is sorted as a string in alphabetical order, for this reason it's correct to sort for _time.
Yoy eventually could change the order of the statements:
mybasesearch
| morequerytablestuff
| sort -_time
| reame _time AS "Last seen"
| eval "Last seen"=strftime("Last seen", "%d/%m/%Y %H:%M")
but this solution isn't so different from your one.
Ciao.
Giuseppe