Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to sort using formatted time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a result table with two columns "formattedTime" and "Unsuccessful logins". I am displaying time in the format like " eval formattedTime = strftime(_time, "%b %d, %Y %I:%M:%S %p") ". I see the following result in the output:
formattedTime Unsuccessful Logins
Mar 20, 2018 01:00:00 AM 1799
Mar 20, 2018 01:00:00 PM 3741
Mar 20, 2018 02:00:00 AM 1785
Mar 20, 2018 02:00:00 PM 3703
Mar 20, 2018 03:00:00 AM 1694
Mar 20, 2018 03:00:00 PM 3651
Mar 20, 2018 04:00:00 AM 1764
Mar 20, 2018 04:00:00 PM 3683
Mar 20, 2018 05:00:00 AM 2515
What I need is to display the results from 12 AM - 4 PM is ascending format.
This is the current logic I am using to display those results:
| bucket _time span=1h | eval formattedTime = strftime(_time, "%b %d, %Y %I:%M:%S %p") |stats count(id) as "Unsuccessful Logins" by formattedTime| sort formattedTime
Any one please help me!
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My recommendation is to not convert the _time field with an eval but instead to use the command fieldformat to change how the value is displayed while retaining the original epoch string, which is easily sortable. That search would look like this:
your base search that filters down to events in the desired time range
| bucket _time span=1h
| stats count(id) as "Unsuccessful Logins" by _time
| sort _time
| fieldformat _time=strftime(_time, "%b %d, %Y %I:%M:%S %p")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My recommendation is to not convert the _time field with an eval but instead to use the command fieldformat to change how the value is displayed while retaining the original epoch string, which is easily sortable. That search would look like this:
your base search that filters down to events in the desired time range
| bucket _time span=1h
| stats count(id) as "Unsuccessful Logins" by _time
| sort _time
| fieldformat _time=strftime(_time, "%b %d, %Y %I:%M:%S %p")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@elliotproebstel - Thank you for the suggestion. It worked as expected.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
