Solved: Re: Why isn't my search sorting events chronologic...

Yaichael · ‎09-13-2016

I'm executing the following search to generate a report with columns sorted chronologically by month:

( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month | sort - month_num

date_month = month field taken from the events' data

Splunk can't still interpret the chronological order of the months.

What am I missing?

Thanks for the help!

somesoni2 · ‎09-13-2016

There is no month_num field after stats, hence the sort fails. Try this

( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month month_num | sort - month_num | fields - month_num

somesoni2 · ‎09-13-2016

There is no month_num field after stats, hence the sort fails. Try this

( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month month_num | sort - month_num | fields - month_num

Yaichael · ‎09-13-2016

I added the reverse command to your query and it worked exactly as I wanted it.

Thanks!

somesoni2 · ‎09-13-2016

You could also, just remove hyphen from the sort command (which sorts in descending order) to use just sort month_num.

Why isn't my search sorting events chronologically by month?