Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Time format and table sorting issues

jwillaime
Explorer
โ€Ž03-07-2018 05:18 AM

So, I have this search on events that cover from the 28th of February to the 6th of March, 2018:

Some basic search

    | eval customer_id = substr(host,2,5)

    | eval session_duration = stop_time - start_time

    | eval start_date = strftime(start_time,"%d/%m/%y %H:%M:%S")

    | convert rmunit(session_duration) as numSecs

    | eval stringSecs=tostring(numSecs,"duration")

    | table customer_id,  start_date,  task_id,  host_ip, from_user, stringSecs 

    | sort by start_time d

    | rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration"

Which is creating the perfect "starting" table I want, with the more recent data at the top, up until I click on the table header to modify the date.

Ascending: (expecting 28/02/18)
alt text

Descending: (expecting 06/03/18)
alt text

From what I understand, even if I specified the European time format in the search, the interactive table sorting is based on alphanumerical order.

One quick fix would be to use the ISO format (YYYY-MM-DD) (for which I am opting right now), but what if the end user want absolutely to have dd/mm/yy and be able to click on the header to change the order?
Is there an option to change this behavior?

Thanks in advance.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

kollachandra
Path Finder
โ€Ž03-07-2018 08:28 AM

I would say to sort them first by and then do the eval to change the format.

0 Karma
Reply

mayurr98
SplunkTrust
SplunkTrust
โ€Ž03-07-2018 05:45 AM

okay if YYYY-MM-DD format is fixing your issue then do that and if the end user want absolutely to have dd/mm/yy then you can try converting the time format after the sort 

Some basic search 
| eval customer_id = substr(host,2,5) 
| eval session_duration = stop_time - start_time 
| eval start_date = strftime(start_time,"%Y-%m-%d %H:%M:%S") 
| convert rmunit(session_duration) as numSecs 
| eval stringSecs=tostring(numSecs,"duration") 
| table customer_id, start_date, task_id, host_ip, from_user, stringSecs 
| sort by start_date 
| eval start_date=strftime(strptime(start_date,"%Y-%m-%d %H:%M:%S"),"%d/%m/%y %H:%M:%S") 
| rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration"

OR
You can use another method (bit complex but useful ) in which you need to sort date year month individually along with the entire time format and then remove unnecessary fields .
Refer this answer
https://answers.splunk.com/answers/624327/how-to-arrange-by-monthyear-chronological-order.html#comme...

let me know if this helps!

0 Karma
Reply

jwillaime
Explorer
โ€Ž03-07-2018 11:48 PM

Your first proposition has the same unwanted behavior. I'll take a look to the link you shared.

0 Karma
Reply