Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort data in chronological order by month, not alphabetically?

karthikTIL
Path Finder
‎09-26-2014 12:07 AM

HI,

For my below query, i get months in alphabetical order like april-2014, august-2014, february-2014, January-2014.

But i want this to be sorted like January-2014, February-2014. Please let me know.

source="test.csv"| eval Month=date_month."-".date_year|stats count(Incidents) by Month
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎09-26-2014 12:22 AM

Splunk has no idea that "January" corresponds to month "1" and "February" corresponds to month "2". You need to tell it. One simple way of doing that is creating a numerical field to sort by and use that:

source=test.csv | strftime month_num=strftime(_time,"%m") | eval Month=date_month."-".date_year | stats count(Incidents) by month_num,Month | sort month_num | fields - month_num

View solution in original post

Reply
Solved! Jump to solution

frsouza
New Member
‎11-07-2019 08:57 AM

You can use timechart (what do you want to correlate with months). In your case, if you want to know the Incidents per month, would be | timechart count by Incidents

0 Karma
Reply
Solved! Jump to solution

sunilsk1
Path Finder
‎09-28-2018 10:18 PM

The following converts the month into Y-m format and the numerical sorting helps out. 

base search |convert ctime(_time) as Time timeformat=%Y-%m|chart avg(yourfield) over Time by some_other_field|sort Time
Reply
Solved! Jump to solution

pbarbuto
Path Finder
‎06-11-2018 04:08 PM

I used the following for fiscal years.

 | eval sort=case(
     Month=="AUG","01",
     Month=="SEP","02",
     Month=="OCT","03",
     Month=="NOV","04",
     Month=="DEC","05",
     Month=="JAN","06",
     Month=="FEB","07",
     Month=="MAR","08",
     Month=="APR","09",
     Month=="MAY","10",
     Month=="JUN","11",
     Month=="JUL","12")
| sort sort     
| fields - sort
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎09-26-2014 12:22 AM

Splunk has no idea that "January" corresponds to month "1" and "February" corresponds to month "2". You need to tell it. One simple way of doing that is creating a numerical field to sort by and use that:

source=test.csv | strftime month_num=strftime(_time,"%m") | eval Month=date_month."-".date_year | stats count(Incidents) by month_num,Month | sort month_num | fields - month_num
Reply
Solved! Jump to solution

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-23-2015 11:03 AM

I have a field Month which has values as [Jan,Feb,Mar ....]. I tried the above solution but it didn't work for me.

0 Karma
Reply
Solved! Jump to solution

karthikTIL
Path Finder
‎09-26-2014 12:35 AM

Thank you, it works

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...