Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort data in chronological order by month, not alphabetically?

karthikTIL
Path Finder
‎09-26-2014 12:07 AM

HI,

For my below query, i get months in alphabetical order like april-2014, august-2014, february-2014, January-2014.

But i want this to be sorted like January-2014, February-2014. Please let me know.

source="test.csv"| eval Month=date_month."-".date_year|stats count(Incidents) by Month
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-26-2014 12:22 AM

Splunk has no idea that "January" corresponds to month "1" and "February" corresponds to month "2". You need to tell it. One simple way of doing that is creating a numerical field to sort by and use that:

source=test.csv | strftime month_num=strftime(_time,"%m") | eval Month=date_month."-".date_year | stats count(Incidents) by month_num,Month | sort month_num | fields - month_num

View solution in original post

Reply
Solved! Jump to solution

frsouza
New Member
‎11-07-2019 08:57 AM

You can use timechart (what do you want to correlate with months). In your case, if you want to know the Incidents per month, would be | timechart count by Incidents

0 Karma
Reply
Solved! Jump to solution

sunilsk1
Path Finder
‎09-28-2018 10:18 PM

The following converts the month into Y-m format and the numerical sorting helps out. 

base search |convert ctime(_time) as Time timeformat=%Y-%m|chart avg(yourfield) over Time by some_other_field|sort Time
Reply
Solved! Jump to solution

pbarbuto
Path Finder
‎06-11-2018 04:08 PM

I used the following for fiscal years.

 | eval sort=case(
     Month=="AUG","01",
     Month=="SEP","02",
     Month=="OCT","03",
     Month=="NOV","04",
     Month=="DEC","05",
     Month=="JAN","06",
     Month=="FEB","07",
     Month=="MAR","08",
     Month=="APR","09",
     Month=="MAY","10",
     Month=="JUN","11",
     Month=="JUL","12")
| sort sort     
| fields - sort
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-26-2014 12:22 AM

Splunk has no idea that "January" corresponds to month "1" and "February" corresponds to month "2". You need to tell it. One simple way of doing that is creating a numerical field to sort by and use that:

source=test.csv | strftime month_num=strftime(_time,"%m") | eval Month=date_month."-".date_year | stats count(Incidents) by month_num,Month | sort month_num | fields - month_num
Reply
Solved! Jump to solution

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-23-2015 11:03 AM

I have a field Month which has values as [Jan,Feb,Mar ....]. I tried the above solution but it didn't work for me.

0 Karma
Reply
Solved! Jump to solution

karthikTIL
Path Finder
‎09-26-2014 12:35 AM

Thank you, it works

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...