Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timeformat not sorting properly
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
12-17-2012
12:27 PM
I am using this search:
sourcetype="foo" name="foobar*" | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category | sort - Time
The sort is not working. can anyone suggest what it is I am doing wrong with the sort or timeformat and how to fix it???
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
12-17-2012
12:57 PM
I figured it out. Timestamps is just a number before you convert the format so it sorts correctly so you need to sort t=he time before you convert the format like this.
sourcetype="foo" name="foobar*" | sort - _time | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
12-17-2012
12:57 PM
I figured it out. Timestamps is just a number before you convert the format so it sorts correctly so you need to sort t=he time before you convert the format like this.
sourcetype="foo" name="foobar*" | sort - _time | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
12-17-2012
12:46 PM
Nope sorry this does not work in the search. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hartfoml
Motivator
12-17-2012
12:42 PM
this works for | sort Time |
it does not work for | sort - Time |
I can use it though. please put it in as an answer so I can give you credit for the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quatral
Explorer
12-17-2012
12:35 PM
Maybe I'm wrong but should it work if :
sourcetype="foo" name="foobar*" | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | sort - Time | table Time Date host name category | rename host as Server name as Name category as Category
Get Updates on the Splunk Community!
Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and ...
Full-Stack Security in Financial Services: AppDynamics, Cisco Secure Application, and Splunk ES
Protecting a ...
It's Customer Success Time at .conf25
Hello Splunkers,
Ready for .conf25? The customer success and experience team is and can’t wait to see you ...
Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust
Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
