Splunk Search

How to sort time so that minute values are in correct order relevant to a 60 minute hour?

packet_hunter
Contributor

Here is the data when sorted recent first....

11:25:22
11:25:23
11:25:51
11:25:52
11:25:53
11:5:37
11:5:38
11:5:42
11:6:2
11:6:5
11:6:6

Any ideas?

Tags (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this

.... | eval Time=strftime(strptime(date_hour.":".date_minute.":".date_second,"%H:%M:%S"),"%H:%M:%S) | ...

It should normalize Time to use 2-digit minute and second fields (hour, too). Then the events will sort properly.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this

.... | eval Time=strftime(strptime(date_hour.":".date_minute.":".date_second,"%H:%M:%S"),"%H:%M:%S) | ...

It should normalize Time to use 2-digit minute and second fields (hour, too). Then the events will sort properly.

---
If this reply helps you, Karma would be appreciated.

packet_hunter
Contributor
|eval Time=strftime(_time, "%H:%M:%S") | eval Date=strftime(_time, "%A %F") 

This works too

Thanks!

0 Karma

packet_hunter
Contributor

Thank you Rick!!! Do you also have the date cure too? So that days and months are in the proper chronological order.

Thanks again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Date is similar.

... | eval Date=strftime(strptime(date_wday."  ".date_month."/".date_mday."/".date_year, "%a %m/%d/%Y"),"%a %m/%d/%Y") | ...

I suspect, however, there's a better way using _time to get the events in order. Depends on what you're trying to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma

packet_hunter
Contributor

agreed, I am sure there is a better way but this should get the answers I need today...
Thank you

0 Karma

packet_hunter
Contributor
....|eval Time=date_hour.":".date_minute.":".date_second  | eval Date = date_wday."  ".date_month."/".date_mday."/".date_year 
|stats list(message_subject) as subj list(sender) as sender list(recipient) as recp list(file_name) as AttachmentName list(attachment_type) as AttachmentType list(vendor_action) as status values(Time) as Time values(Date) as Date by internal_message_id ....

This is a sample of the code I use to get the events with time and date...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...