Splunk Search

How to sort a table by a time field in text format

genesiusj
Builder

Hello,
Here's the problem.

Dashboard - Time picker is used to select a date range.
But this date range is not checked against _time field.
It is checked against a date field RECEIPTDATE in text format: Ex. 11/21/2019.

Thanks and God bless,
Genesius

0 Karma
1 Solution

genesiusj
Builder

Here's the solution.

    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$

The results were what I needed, sort of. The rows were not sorted according to the RECEIPTDATE field. And when I manually sort on that field/column in the dashboard, the sort order is incorrect. It is based on text and not date.
11/21/2019
12/2/2019
3/1/2019
3/11/2019
3/2/2019
etc.....

I tried sorting on the convertedRECEIPTDATE,

    | sort convertedRECEIPTDATE

but this did not work, and the column for convertedRECEIPTDATE field was empty. This did not make sense, because when I ran a separate search of this dashboard panel, convertedRECEIPTDATE is a field with valid epoch date values.

I considered adding convertedRECEIPTDATE to my stats command, before the sort and table commands. But thought this might be an issue.

| stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE

Does anyone know if this adds any CPU cycles or IOPS (running the same stats on identical BY clauses (RECEIPTDATE and convertedRECEIPTDATE)? However, it does work.

Here is the entire SPL for this panel.

    index=$tok_index$
        AND FAILCODE=N
        AND APPLICATIONNAME=$tok_payApp$
    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$
    | dedup TOKEN 
    | eval TOTAMT=coalesce(TOTALAMOUNT, RPT_ORIG_TRANS_TOTAL_AMOUNT) 
    | eval ORIGCOSAMT=coalesce(ORIG_COS_AMOUNT, RPT_ORIG_COS_AMOUNT) 
    | eval ORIGFEEAMT=coalesce(ORIG_FEE_AMOUNT,RPT_ORIG_FEE_AMOUNT) 
    | stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE 
    | eval TOTAMT2="$".tostring(round(TOTAMT1,2),"commas") 
    | eval ORIGCOSAMT2="$".tostring(round(ORIGCOSAMT1,2),"commas") 
    | eval ORIGFEEAMT2="$".tostring(round(ORIGFEEAMT1,2),"commas") 
    | rename APPLICATIONNAME AS "Pay Credit Card Application", RECEIPTDATE AS "Receipt Date", TOTAMT2 AS "Total Amount", ORIGCOSAMT2 AS "Original Cost Amount", ORIGFEEAMT2 AS "Transaction Fees Amount" 
    | sort convertedRECEIPTDATE
    | table "Pay Credit Card Application", "Receipt Date", "Total Amount", "Original Cost Amount", "Transaction Fees Amount"

So the moral of the story (problem) is, if you need to sort on a date field, but it is in text format,

  1. Create a new field using eval and strptime.
  2. Use both the new and original fields in the BY clause of your stats command.
  3. sort your results by the new field only.
  4. Leave the new field out of your table command.

Thanks and God bless,
Genesius

View solution in original post

0 Karma

genesiusj
Builder

Here's the solution.

    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$

The results were what I needed, sort of. The rows were not sorted according to the RECEIPTDATE field. And when I manually sort on that field/column in the dashboard, the sort order is incorrect. It is based on text and not date.
11/21/2019
12/2/2019
3/1/2019
3/11/2019
3/2/2019
etc.....

I tried sorting on the convertedRECEIPTDATE,

    | sort convertedRECEIPTDATE

but this did not work, and the column for convertedRECEIPTDATE field was empty. This did not make sense, because when I ran a separate search of this dashboard panel, convertedRECEIPTDATE is a field with valid epoch date values.

I considered adding convertedRECEIPTDATE to my stats command, before the sort and table commands. But thought this might be an issue.

| stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE

Does anyone know if this adds any CPU cycles or IOPS (running the same stats on identical BY clauses (RECEIPTDATE and convertedRECEIPTDATE)? However, it does work.

Here is the entire SPL for this panel.

    index=$tok_index$
        AND FAILCODE=N
        AND APPLICATIONNAME=$tok_payApp$
    | eval convertedRECEIPTDATE=strptime(RECEIPTDATE, "%m/%d/%Y") 
    | eval receiptDateStart=strftime("$tok_time.earliest$", "%m/%d/%Y") 
    | eval receiptDateEnd=strftime("$tok_time.latest$", "%m/%d/%Y")
    | where convertedRECEIPTDATE >= $tok_time.earliest$ AND convertedRECEIPTDATE <= $tok_time.latest$
    | dedup TOKEN 
    | eval TOTAMT=coalesce(TOTALAMOUNT, RPT_ORIG_TRANS_TOTAL_AMOUNT) 
    | eval ORIGCOSAMT=coalesce(ORIG_COS_AMOUNT, RPT_ORIG_COS_AMOUNT) 
    | eval ORIGFEEAMT=coalesce(ORIG_FEE_AMOUNT,RPT_ORIG_FEE_AMOUNT) 
    | stats sum(TOTAMT) AS TOTAMT1, sum(ORIGCOSAMT) AS ORIGCOSAMT1, sum(ORIGFEEAMT) AS ORIGFEEAMT1 BY APPLICATIONNAME, RECEIPTDATE, convertedRECEIPTDATE 
    | eval TOTAMT2="$".tostring(round(TOTAMT1,2),"commas") 
    | eval ORIGCOSAMT2="$".tostring(round(ORIGCOSAMT1,2),"commas") 
    | eval ORIGFEEAMT2="$".tostring(round(ORIGFEEAMT1,2),"commas") 
    | rename APPLICATIONNAME AS "Pay Credit Card Application", RECEIPTDATE AS "Receipt Date", TOTAMT2 AS "Total Amount", ORIGCOSAMT2 AS "Original Cost Amount", ORIGFEEAMT2 AS "Transaction Fees Amount" 
    | sort convertedRECEIPTDATE
    | table "Pay Credit Card Application", "Receipt Date", "Total Amount", "Original Cost Amount", "Transaction Fees Amount"

So the moral of the story (problem) is, if you need to sort on a date field, but it is in text format,

  1. Create a new field using eval and strptime.
  2. Use both the new and original fields in the BY clause of your stats command.
  3. sort your results by the new field only.
  4. Leave the new field out of your table command.

Thanks and God bless,
Genesius

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for sharing, @genesiusj . To help future readers find your solution, please edit your posting into a question and put the solution in an answer. Then accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...