Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sorting Date

dsmeerkat
Explorer
‎04-03-2014 06:28 AM

Okay so I missing something...

Here's my searches:

index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false | fieldformat Total=round(Total, 2) |rename auto_generated_pool_enterprise AS Total | tscollect namespace=License_Daily_Usage_7d keepresults=true

AND

| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | table Date, Total_GB

And when the show up in the dashboard they are not being sorted by "Date" correctly...its doing:

Fri, 03/28/14 943.270143

Mon, 03/31/14 900.663402

Sat, 03/29/14 836.616432

Sun, 03/30/14 779.676332

Thu, 03/27/14 487.159979

Thu, 04/03/14 514.808743

Tue, 04/01/14 965.568267

Wed, 04/02/14 1031.553619

I've tried sorting by everything I can think of and it just won't sort by %m/%d/%y

Tags (2)
0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 09:05 AM 
index=_internal source=*license_usage.log type=Usage | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) by pool useother=false |convert ctime(_time) AS Time | tscollect namespace=License_Daily_Usage_7d keepresults=true


| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date | sort _time | fields - _time | eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date| table Date, Total_GB

Works like a charm!

0 Karma
Reply

aelliott
Motivator
‎04-03-2014 07:12 AM

try

|eval MyDate=strptime(Date,"%a, %m/%d/%y") | sort MyDate | table MyDate, Total_GB

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 07:08 AM

No 😞 .....

0 Karma
Reply

aelliott
Motivator
‎04-03-2014 07:07 AM

if you keep the field _time, does it sort?

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:50 AM

Thanks for the response but its still not working....

0 Karma
Reply

somesoni2
Revered Legend
‎04-03-2014 06:46 AM

You second search (tstats) is not retrieving field _time.

0 Karma
Reply

linu1988
Champion
‎04-03-2014 06:43 AM

Hello,
Add a dummy column and do the sort and hide it

| tstats sum(GB) AS Total, values(Total), values(Date) FROM License_Daily_Usage_7d groupby Date |  rename values(Total) AS Total_GB |convert timeformat="%a,  %m/%d/%y" ctime(_time) AS Date|eval a=strptime(Date,"%a,  %m/%d/%y") | table Date, Total_GB,a| sort a | fields - a

Thanks

Reply

linu1988
Champion
‎04-03-2014 07:13 AM

Okay now check the edited one?

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:59 AM

Still no luck 😞

0 Karma
Reply

linu1988
Champion
‎04-03-2014 06:51 AM

Try now, i didn't include the field in table column. This happens due to the date field not being actual date field rather a string..

0 Karma
Reply

dsmeerkat
Explorer
‎04-03-2014 06:50 AM

Thanks for the response but its still not working....

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...