Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time format and table sorting issues

jwillaime
Explorer
‎03-07-2018 05:18 AM

So, I have this search on events that cover from the 28th of February to the 6th of March, 2018:

Some basic search

    | eval customer_id = substr(host,2,5)

    | eval session_duration = stop_time - start_time

    | eval start_date = strftime(start_time,"%d/%m/%y %H:%M:%S")

    | convert rmunit(session_duration) as numSecs

    | eval stringSecs=tostring(numSecs,"duration")

    | table customer_id,  start_date,  task_id,  host_ip, from_user, stringSecs 

    | sort by start_time d

    | rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration"

Which is creating the perfect "starting" table I want, with the more recent data at the top, up until I click on the table header to modify the date.

Ascending: (expecting 28/02/18)
alt text

Descending: (expecting 06/03/18)
alt text

From what I understand, even if I specified the European time format in the search, the interactive table sorting is based on alphanumerical order.

One quick fix would be to use the ISO format (YYYY-MM-DD) (for which I am opting right now), but what if the end user want absolutely to have dd/mm/yy and be able to click on the header to change the order?
Is there an option to change this behavior?

Thanks in advance.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

kollachandra
Path Finder
‎03-07-2018 08:28 AM

I would say to sort them first by and then do the eval to change the format.

0 Karma
Reply

mayurr98
Super Champion
‎03-07-2018 05:45 AM

okay if YYYY-MM-DD format is fixing your issue then do that and if the end user want absolutely to have dd/mm/yy then you can try converting the time format after the sort 

Some basic search 
| eval customer_id = substr(host,2,5) 
| eval session_duration = stop_time - start_time 
| eval start_date = strftime(start_time,"%Y-%m-%d %H:%M:%S") 
| convert rmunit(session_duration) as numSecs 
| eval stringSecs=tostring(numSecs,"duration") 
| table customer_id, start_date, task_id, host_ip, from_user, stringSecs 
| sort by start_date 
| eval start_date=strftime(strptime(start_date,"%Y-%m-%d %H:%M:%S"),"%d/%m/%y %H:%M:%S") 
| rename customer_id as "Customer ID", start_date as "Session Start", task_id as "Task id", host_ip as "Accessed Host", from_user as "User ID", stringSecs as "Session Duration"

OR
You can use another method (bit complex but useful ) in which you need to sort date year month individually along with the entire time format and then remove unnecessary fields .
Refer this answer
https://answers.splunk.com/answers/624327/how-to-arrange-by-monthyear-chronological-order.html#comme...

let me know if this helps!

0 Karma
Reply

jwillaime
Explorer
‎03-07-2018 11:48 PM

Your first proposition has the same unwanted behavior. I'll take a look to the link you shared.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...