Solved: Sorting data on basis of date and date_hour

Aakanksha · ‎02-05-2013

I have 1 week data uploaded in SPLUNK.

I a sorting it on weekly as well as daily basis. Query is as follow:

...
|chart limit=0 avg(KPI) by date, date _hour| sort - date _hour

However, the result is not sorted on date_hour.
How can this be resolved?

dart · ‎02-06-2013

You need to have your rows as the field you want to sort by:

sourcetype=access_combined | chart count by date_hour,date_mday | sort date_hour

Otherwise if you're looking to sort your columns in order, try this:

sourcetype=access_combined | chart count by date_mday,date_hour | table date_mday 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

I didn't have a date or KPI field in my data, so the examples use just the count function and date_mday (day of month) instead.

dart · ‎02-06-2013

You need to have your rows as the field you want to sort by:

sourcetype=access_combined | chart count by date_hour,date_mday | sort date_hour

Otherwise if you're looking to sort your columns in order, try this:

sourcetype=access_combined | chart count by date_mday,date_hour | table date_mday 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

I didn't have a date or KPI field in my data, so the examples use just the count function and date_mday (day of month) instead.

Aakanksha · ‎02-06-2013

No,it is just here in the post. In search query it is like - ... | sort - date_hour

Ayn · ‎02-06-2013

Do you really have a space between "date" and "_hour" in your search or is it just in your post here on splunkbase?

Sorting data on basis of date and date_hour