Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sorting Date

dsmeerkat
Explorer
‎04-03-2014 06:28 AM

Okay so I missing something...

Here's my searches:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false | fieldformat Total=round(Total, 2) |rename auto_generated_pool_enterprise AS Total | tscollect namespace=License_Daily_Usage_7d keepresults=true

AND

| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | table Date, Total_GB

And when the show up in the dashboard they are not being sorted by "Date" correctly...its doing:

Fri, 03/28/14 943.270143

Mon, 03/31/14 900.663402

Sat, 03/29/14 836.616432

Sun, 03/30/14 779.676332

Thu, 03/27/14 487.159979

Thu, 04/03/14 514.808743

Tue, 04/01/14 965.568267

Wed, 04/02/14 1031.553619

I've tried sorting by everything I can think of and it just won't sort by %m/%d/%y

Tags (2)
0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 09:05 AM 
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false |convert ctime(_time) AS Time | tscollect namespace=License_Daily_Usage_7d keepresults=true


| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date| table Date, Total_GB

Works like a charm!

0 Karma
Reply

aelliott
Motivator
‎04-03-2014 07:12 AM

try

|eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | table MyDate, Total_GB

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 07:08 AM

No 😞 .....

0 Karma
Reply

aelliott
Motivator
‎04-03-2014 07:07 AM

if you keep the field _time, does it sort?

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:50 AM

Thanks for the response but its still not working....

0 Karma
Reply

somesoni2
Revered Legend
‎04-03-2014 06:46 AM

You second search (tstats) is not retrieving field _time.

0 Karma
Reply

linu1988
Champion
‎04-03-2014 06:43 AM

Hello,
Add a dummy column and do the sort and hide it

| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB |convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date|eval a=strptime(Date,"%a,  %m/%d/%y") | table Date, Total_GB,a| sort a | fields - a

Thanks

Reply

linu1988
Champion
‎04-03-2014 07:13 AM

Okay now check the edited one?

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:59 AM

Still no luck 😞

0 Karma
Reply

linu1988
Champion
‎04-03-2014 06:51 AM

Try now, i didn't include the field in table column. This happens due to the date field not being actual date field rather a string..

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:50 AM

Thanks for the response but its still not working....

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...