- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Table data sort behaviour
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that outputs a table similar to the following.
Month starting count
1-Sep-11 21424533
1-Oct-11 23025589
1-Nov-11 23291731
1-Dec-11 22275910
1-Jan-12 24153686
1-Feb-12 22862810
1-Mar-12 19596371
1-Apr-12 22270415
1-May-12 20289422
This table exhibits unexpected sort behaviour in the web interface (splunk v4.3.4)
You can sort in both directions via the count column but if you then click on the month starting column it only sorts it in one direction. The tool tip icon changes direction however.
I have tried changing the date format from timeformat="%d/%b/%y" to various different ones (even including the time ie. %d-%b-%y %h:%m:%s).
The only thing that allows it to sortable as a user expects is to use epoch time.
Is there any way that I can make this table sortable?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you get the "Month starting?"
If you did it like this: eval "Month starting"=strftime(_time,"%d-%b-%y")
then you should try fieldformat instead: fieldformat "Month starting"=strftime(_time,"%d-%b-%y")
which should make the field sort properly. Another alternative is to use two fields. I'll call them monthEpoch and monthStarting - they are both the same date, but one is formatted and one is not. Here is an example
yoursearchhere
| bucket span=1d _time
| eval monthEpoch = _time
| stats count by monthEpoch
| eval monthStarting = strftime(monthEpoch,"%d-%b-%y")
| sort monthEpoch
| table monthStarting count
| rename monthStarting as "Month starting"
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you get the "Month starting?"
If you did it like this: eval "Month starting"=strftime(_time,"%d-%b-%y")
then you should try fieldformat instead: fieldformat "Month starting"=strftime(_time,"%d-%b-%y")
which should make the field sort properly. Another alternative is to use two fields. I'll call them monthEpoch and monthStarting - they are both the same date, but one is formatted and one is not. Here is an example
yoursearchhere
| bucket span=1d _time
| eval monthEpoch = _time
| stats count by monthEpoch
| eval monthStarting = strftime(monthEpoch,"%d-%b-%y")
| sort monthEpoch
| table monthStarting count
| rename monthStarting as "Month starting"
HTH
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your right. That last one is the only one that will work properly.
ie. fieldformat Month = strftime(Month,"%d/%b/%y")
Excellent thanks again! It seems that any eval-ing/formatting/copying to a new field/with a rename totally breaks how it than sorts in the table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if it works this way
somesearch
| eval Month=relative_time(_time, "@mon")
| some stats here
| fieldformat Month = strftime(Month,"%d/%b/%y")
I think the rename confuses fieldformat, and the field name with spaces in it may also confuse it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The month starting is created like this.
somesearch
| eval Month=relative_time(_time, "@mon")
| some stats here
| convert timeformat="%d/%b/%y" ctime(Month) AS "Period Month Starting"
So my search snaps each result into a monthly block so that I can then nicely combine them together using a stats by Month.
If i try and use fieldformat like this
| fieldformat "Period Month Starting"=strftime(Month,"%d-%b-%y")
I get no output what so ever.
You eval line "eval monthStarting = strftime(monthEpoch,"%d-%b-%y")" does work but gives me the same "unsortable" results table.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
