Sort Function In splunk

romansha · ‎09-06-2020

Hi ,

I have a string fields like '28 Aug-1233456' , '05 Jan-5678999' ,'02 Feb-6789011'. I want to sort the field on the basis of date and month .Please let me know how can I sort this fields .

Expected Output :

'05 Jan-5678999' ,02 Feb-6789011',28 Aug-1233456'

niketn · ‎09-15-2020

Can you add your current SPL? Are the fields in the question generated by SPL or available in your raw data!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

isoutamo · ‎09-06-2020

Hi

the easiest way is convert date as epoch then sort with it and then remove/hide that field.

I'm not sure what you are meaning with that -123456, -34112 etc. Is it just a random number/string or should it contain year, hour, min ....?

...
| eval sTime = substr(your_field, 1, 6), rTime = substr(your_field, 7)
| eval sTime = strptime(sTime, "%d %b")
| sort sTime, rTime
| fields - sTime, rTime

r. Ismo

romansha · ‎09-15-2020

It is just a random number

isoutamo · ‎09-15-2020

Then my example should do the work.

niketn · ‎09-06-2020

@romansha what is your SPL which generates fields like above? We would have to fix the fieldname before making them columns.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sort Function In splunk

stats

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Are you a member of the Splunk Community?

Sort Function In splunk

stats

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk