Solved: Sort not working when change the time format

Pajkow · ‎08-27-2020

Hi all, got the problem with sort,

When I change the time format from default e.g. 2020-05-08 19:46:20 to this :08/05/20 19:46:20 by the use this conversion command: | eval _time=strftime(_time,"%d/%m/%y %H:%M:%S") the sort function does not work.

To overcome this, I can put the sort command e.g. " | sort -_time " prior eval command but this does not resolve the main Splunk build in feature .i. e. arrows up and down next to the table headers.

Since I changed the time output format the sort will work only on one page with results, if there are multiple pages with results, this will not work, is this normal?

ITWhisperer · ‎08-27-2020

You possibly don't want to change _time itself, but you can change the way it is displayed e.g. fieldformat _time=strftime(_time,"%d/%m/%y %H:%M:%S")

View solution in original post

ITWhisperer · ‎08-27-2020

You possibly don't want to change _time itself, but you can change the way it is displayed e.g. fieldformat _time=strftime(_time,"%d/%m/%y %H:%M:%S")

Sort not working when change the time format

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation