Solved: Sorting Months in a Field

henryt1 · ‎10-26-2012

So I wasn't really sure how to do this after reading the documentation, but I'm running the following search:

(host="web01.x.com") AND (source="/common/site-logs/x-activity.log") AND ("create" AND "project") NOT ("brief" OR "campaign" OR "proposal" OR "talentlist" OR "teamroom" OR "view" OR "criteria" OR "problem") | stats count by date_month

I get the data back that I want, however the months are in alphabetical order instead of by date. How can I sort these to be in date order with how they would go on a calendar?

Thanks in advance.

-Tyler

gkanapathy · ‎10-26-2012

don't use the date_month field. They are unreliable. use

... | bucket _time span=1mon | stats count by _time

View solution in original post

gkanapathy · ‎10-26-2012

don't use the date_month field. They are unreliable. use

... | bucket _time span=1mon | stats count by _time

henryt1 · ‎10-26-2012

Great! Thank you!

Sorting Months in a Field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation