Splunk Search

## Sort by time in a chart with time header names Path Finder

Hi,

I have a search table that aims to show the inflow of tickets for a time range.

Here is what it looks like...

``````Hour     |     Apr-18     |     Apr-19     |     Aug-18     |     Dec-18
0:00              2                 3               5                3
1:00              2                13               2                1
``````

Here is the search for this table...

``````index=_internal
| bin _time span=1h
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| stats count(ticketNumber) as inflow values(hour) as hour values(monthYear) as monthYear by _time
| chart limit=0 sum(inflow) as inflow over hour by monthYear
``````

I want to sort my columns by date, (Apr-18, Aug-18, Dec-18, Apr-19). I cannot use "fields ..." because the user is free to input the time range that the table will display.

Any help would be appreciated. Thank you.

Tags (5)
1 Solution Path Finder

I solved it by appending a "-01" on monthYear and then transposing the chart.

``````index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch
| search NOT Time = "date*"
`````` Path Finder

I solved it by appending a "-01" on monthYear and then transposing the chart.

``````index=_internal
| timechart span=1h count
| eval hour = strftime(_time, "%H:%M")
| eval monthYear = strftime(_time, "%b-%y")
| chart limit=0 sum(count) as inflow over monthYear by hour
| eval dateSort = monthYear . "-1"
| eval dateSortEpoch = strptime(dateSort, "%b-%y-%d")
| sort dateSortEpoch  