Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to order chronologically when _time has been evaluated with strftime?

3DGjos
Communicator
‎12-12-2019 08:01 AM

Hello, I always have problems ordering my events after evaluating _time to something else. See this query for example:

| mybasesearch
| eval "Last seen"=strftime(_time, "%d/%m/%Y %H:%M") 
| morequerytablestuff
| sort - _time
| fields - _time

Here I had to keep _time in my table, sort the events, and then remove the _time field from it.

Is there a better way of achieving this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-12-2019 04:18 PM

Don't do it that way, use fieldformat like this:

mybasesearch
| rename _time AS "Last seen"
| fieldformat  "Last seen"=strftime('Last seen', "%d/%m/%Y %H:%M") 
| morequerytablestuff
| sort 0 - "Last seen"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-12-2019 04:18 PM

Don't do it that way, use fieldformat like this:

mybasesearch
| rename _time AS "Last seen"
| fieldformat  "Last seen"=strftime('Last seen', "%d/%m/%Y %H:%M") 
| morequerytablestuff
| sort 0 - "Last seen"
0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎12-12-2019 08:44 AM

Hi,

you have to use "Last seen" for rest of your query and you are evaluating and assigning _time value to this variable

give |sort - "Last seen" | fields - "Last seen".

Thanks
Anantha.

0 Karma
Reply
Solved! Jump to solution

3DGjos
Communicator
‎12-12-2019 09:13 AM

Hello,
I know that. The thing is, when I sort by "Last seen", splunk does not recognize the field as a date field. So it sort it numerically as text string, then it does not respect the date order.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-12-2019 08:42 AM

Hi @3DGjos,
your search seems to be correct, only one thing: don't use space between - and _time (that instead you have to use in fields command), so use something like this

mybasesearch
| eval "Last seen"=strftime(_time, "%d/%m/%Y %H:%M") 
| morequerytablestuff
| sort -_time
| fields - _time

Then I have two questions:

  • at the end of your basesearch (I think that you're speaking of Post Process Search), did you used the command fields with all the fields you need in panels' searches including _time?
  • in morequerytablestuff have you some stats or chart or timechart commands? if yes, remember that after you can use ony the fields that are in the command.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

3DGjos
Communicator
‎12-12-2019 09:16 AM

Hello,
yes i'm passing the _time values in my stats command, and passed all the fields from the base search.

the problem is, that splunk does not recognize the "last seen" field as a date field.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-12-2019 09:31 AM

Hi @3DGjos,
infact "last seen" field is a string that is sorted as a string in alphabetical order, for this reason it's correct to sort for _time.

Yoy eventually could change the order of the statements:

 mybasesearch
 | morequerytablestuff
 | sort -_time
 | reame _time AS "Last seen"
 | eval "Last seen"=strftime("Last seen", "%d/%m/%Y %H:%M")

but this solution isn't so different from your one.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...