Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to sort concatenated DATE&TIME field?

Ashwini008
Builder
‎10-05-2020 12:09 AM

Hi,

I have concatenated my DATE & TIME Field as below

| eval DATE&TIME=DATE." ".TIME

EXAMPLE:(%m/%d/%Y  %H:%S)

12/09/2017 23:28

01/27/2019 00:49

04/14/2018 23:42

How to sort my DATE&TIME field now .I want to show the latest date and time field at the beginning?

Any suggestions?

Thank you 

 

Labels (5)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-05-2020 12:20 AM

Hi @Ashwini008 .. you have to convert to epoch and sort and then convert back to your format.  pls check the below SPL query. thanks.

 

...  | eval DATETIME=DATE." ".TIME 
| eval sortDate=strptime(DATETIME, "%m/%d/%Y %H:%S") | sort sortDate 
| eval DATETIME=strftime(SortDate, "%m/%d/%Y %H:%S")

 

 

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

Ashwini008
Builder
‎10-05-2020 01:00 AM

@inventsekar I tried your solution but it didn't work.The field was still in random order.

However i tried the below code and it worked for me

| eval EPOCHDATE=strptime(DATE,"%Y%m%d")
| sort -EPOCHDATE
| eval EPOCHTIME=strptime(TIME,"%H%M%S")
| sort -EPCOHTIME
| eval DATE=strftime(EPOCHDATE,"%m/%d/%Y")
| eval TIME=strftime(EPOCHTIME,"%H:%M")
| eval DATE&TIME=DATE." ".TIME

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...