Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sort a time field in a 12hr time format (AM/PM)?

SQservicedesk
Explorer
‎02-22-2016 10:33 PM

How do I sort a column of time in 12 hour format with AM / PM on the end? I have tried using eval with the _time field (which gives a standard output like: 2016-01-13 13:23:38 and my sourcetype is a standard Windows Security Event Log.

The following syntax displays a column called TIME, with the time displayed in 24hr format. I don't need to sort it as it's sorted automatically from earliest to latest.

... | eval TIME = strftime(_time, "%H:%M:%S")
... | table TIME

However, when changing the time to 12hr format (%I instead of %H) and the trailing AM /PM ( by adding %p), the auto-sort ignores the AM/PM and uses the values as numbers, not 'time-aware' values so to say. 

... | eval TIME = strftime(_time, "%I:%M:%S %p")
... | table TIME

How can the earliest to latest sort be achieved using 12hr time?

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2016 10:16 AM

I would suggest to sort first (using TIME) and then change the format.

0 Karma
Reply

SQservicedesk
Explorer
‎02-23-2016 06:08 PM

Thanks - I tried this but received the same result.

0 Karma
Reply

javiergn
Super Champion
‎02-23-2016 01:49 AM

You can use fieldformat:

| fieldformat _time=strftime(_time,"%I:%M:%S %p")
0 Karma
Reply

SQservicedesk
Explorer
‎02-23-2016 06:06 PM

Thanks javiergn, but I have tried using fieldformat already. It shows the exact same result as eval - it shows the information, but does not sort it correctly.

Example, if I use:

| fieldformat _time=strftime(_time,"%I:%M:%S %p")
| table _time
| sort _time

The results are close, but still not correct:

07:57:50 AM

07:58:20 AM

09:52:06 AM

09:52:34 AM

08:09:17 AM

08:09:20 AM

08:09:35 AM

11:42:41 AM

11:43:07 AM

04:02:13 PM

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...