Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort a string time format to show the latest time?

ewise1
New Member
‎06-28-2017 01:58 PM

Hi,

I have a string date format that shows up when I do a search; what I did was did a field extraction and named that string as Date, and create a table and sort -Date to show the latest date, but apparently it doesn't work since it acts as a text. Please advice. Date formats are as below:

May 31 22:06:20 2017
May 29 22:06:20 2017
June 28 22:06:20 2017
June 27 22:06:20 2017

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2017 02:10 PM

You're right, Splunk is performing a lexicographical sort on your dates. To sort them in date order, use a hidden epoch timestamp.

... | eval sortDate=strptime(Date,"%b %d %H:%M:%S %Y") | sort sortDate | fields - sortDate
---
If this reply helps you, Karma would be appreciated.
Reply

ewise1
New Member
‎06-28-2017 02:24 PM

When I run my search for a month back I still see May before June.

sourcetype=aaaaaaa | eval sortDate=strptime(Date,"%b %d %H:%M:%S %Y") |sort sortDate|fields - sortDate| table Date, ID, COMMAND

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2017 02:29 PM

As somesoni2 suggests, try | sort - sortDate | to reverse the display order.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ewise1
New Member
‎06-28-2017 03:24 PM

Thanks for your comment 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-29-2017 10:19 AM

Did it work?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎06-28-2017 02:17 PM

++
Only suggestion is that requester wants latest date first so you'd need | sort -sortDate .

Reply

ewise1
New Member
‎06-28-2017 03:23 PM

Thanks alot for the hint 🙂

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-28-2017 02:13 PM

For a more detailed proof that Rich is right:

| makeresults 
| eval raw="May 31 22:06:20 2017,
May 29 22:06:20 2017,
June 28 22:06:20 2017,
June 27 22:06:20 2017" | makemv raw delim="," | mvexpand raw 
| eval sortbytime=strptime(raw, "%b %d %H:%M:%S %Y") 
| sort sortbytime | fields - sortbytime

The dates are in the right order as you can see.

0 Karma
Reply

niketn
Legend
‎06-28-2017 02:25 PM

Slightly different version than @richgalloway. For sorting you either need epochtime (number of ticks) or else string time in YYYY/MM/DD HH:MM:SS format so that older date are smaller event with string comparison.

However, since you string time is not in above format, you would anyways need to first convert to epochTime. So 2nd approach is beating around the bush. The following approach lets you sort based on epoch time however, it does not create an additional field since the same epoch time is formatted as string time only for displaying in table.

... 
| eval Date=strptime(Date,"%b %d %H:%M:%S %Y") 
| sort Date 
| fieldformat Date=strftime(Date,"%b %d %H:%M:%S %Y")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

ewise1
New Member
‎06-28-2017 03:23 PM

Great Thanks 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...