Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort a table by a time field in text format

genesiusj
Builder
‎12-30-2019 08:30 AM

Hello,
Here's the problem.

Dashboard - Time picker is used to select a date range.
But this date range is not checked against _time field.
It is checked against a date field RECEIPTDATE in text format: Ex. 11/21/2019.

Thanks and God bless,
Genesius

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

genesiusj
Builder
‎12-30-2019 10:57 AM

Here's the solution.

    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$

The results were what I needed, sort of. The rows were not sorted according to the RECEIPTDATE field. And when I manually sort on that field/column in the dashboard, the sort order is incorrect. It is based on text and not date.
11/21/2019
12/2/2019
3/1/2019
3/11/2019
3/2/2019
etc.....

I tried sorting on the convertedRECEIPTDATE, 

    | sort convertedRECEIPTDATE

but this did not work, and the column for convertedRECEIPTDATE field was empty. This did not make sense, because when I ran a separate search of this dashboard panel, convertedRECEIPTDATE is a field with valid epoch date values.

I considered adding convertedRECEIPTDATE to my stats command, before the sort and table commands. But thought this might be an issue.

| stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE

Does anyone know if this adds any CPU cycles or IOPS (running the same stats on identical BY clauses (RECEIPTDATE and convertedRECEIPTDATE)? However, it does work.

Here is the entire SPL for this panel.

    index=$tok_index$
        AND FAILCODE=N
        AND APPLICATIONNAME=$tok_payApp$
    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$
    | dedup TOKEN 
    | eval TOTAMT=coalesce(TOTALAMOUNT, RPT_ORIG_TRANS_TOTAL_AMOUNT) 
    | eval ORIGCOSAMT=coalesce(ORIG_COS_AMOUNT, RPT_ORIG_COS_AMOUNT) 
    | eval ORIGFEEAMT=coalesce(ORIG_FEE_AMOUNT,RPT_ORIG_FEE_AMOUNT) 
    | stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE 
    | eval TOTAMT2="$".tostring(round(TOTAMT1,2),"commas") 
    | eval ORIGCOSAMT2="$".tostring(round(ORIGCOSAMT1,2),"commas") 
    | eval ORIGFEEAMT2="$".tostring(round(ORIGFEEAMT1,2),"commas") 
    | rename APPLICATIONNAME AS "Pay Credit Card Application", RECEIPTDATE AS "Receipt Date", TOTAMT2 AS "Total Amount", ORIGCOSAMT2 AS "Original Cost Amount", ORIGFEEAMT2 AS "Transaction Fees Amount" 
    | sort convertedRECEIPTDATE
    | table "Pay Credit Card Application", "Receipt Date", "Total Amount", "Original Cost Amount", "Transaction Fees Amount"

So the moral of the story (problem) is, if you need to sort on a date field, but it is in text format,

  1. Create a new field using eval and strptime.
  2. Use both the new and original fields in the BY clause of your stats command.
  3. sort your results by the new field only.
  4. Leave the new field out of your table command.

Thanks and God bless,
Genesius

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

genesiusj
Builder
‎12-30-2019 10:57 AM

Here's the solution.

    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$

The results were what I needed, sort of. The rows were not sorted according to the RECEIPTDATE field. And when I manually sort on that field/column in the dashboard, the sort order is incorrect. It is based on text and not date.
11/21/2019
12/2/2019
3/1/2019
3/11/2019
3/2/2019
etc.....

I tried sorting on the convertedRECEIPTDATE, 

    | sort convertedRECEIPTDATE

but this did not work, and the column for convertedRECEIPTDATE field was empty. This did not make sense, because when I ran a separate search of this dashboard panel, convertedRECEIPTDATE is a field with valid epoch date values.

I considered adding convertedRECEIPTDATE to my stats command, before the sort and table commands. But thought this might be an issue.

| stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE

Does anyone know if this adds any CPU cycles or IOPS (running the same stats on identical BY clauses (RECEIPTDATE and convertedRECEIPTDATE)? However, it does work.

Here is the entire SPL for this panel.

    index=$tok_index$
        AND FAILCODE=N
        AND APPLICATIONNAME=$tok_payApp$
    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$
    | dedup TOKEN 
    | eval TOTAMT=coalesce(TOTALAMOUNT, RPT_ORIG_TRANS_TOTAL_AMOUNT) 
    | eval ORIGCOSAMT=coalesce(ORIG_COS_AMOUNT, RPT_ORIG_COS_AMOUNT) 
    | eval ORIGFEEAMT=coalesce(ORIG_FEE_AMOUNT,RPT_ORIG_FEE_AMOUNT) 
    | stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE 
    | eval TOTAMT2="$".tostring(round(TOTAMT1,2),"commas") 
    | eval ORIGCOSAMT2="$".tostring(round(ORIGCOSAMT1,2),"commas") 
    | eval ORIGFEEAMT2="$".tostring(round(ORIGFEEAMT1,2),"commas") 
    | rename APPLICATIONNAME AS "Pay Credit Card Application", RECEIPTDATE AS "Receipt Date", TOTAMT2 AS "Total Amount", ORIGCOSAMT2 AS "Original Cost Amount", ORIGFEEAMT2 AS "Transaction Fees Amount" 
    | sort convertedRECEIPTDATE
    | table "Pay Credit Card Application", "Receipt Date", "Total Amount", "Original Cost Amount", "Transaction Fees Amount"

So the moral of the story (problem) is, if you need to sort on a date field, but it is in text format,

  1. Create a new field using eval and strptime.
  2. Use both the new and original fields in the BY clause of your stats command.
  3. sort your results by the new field only.
  4. Leave the new field out of your table command.

Thanks and God bless,
Genesius

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2019 10:07 AM

Thanks for sharing, @genesiusj . To help future readers find your solution, please edit your posting into a question and put the solution in an answer. Then accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...