I'm executing the following search to generate a report with columns sorted chronologically by month:
( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month | sort - month_num
date_month = month field taken from the events' data
Splunk can't still interpret the chronological order of the months.
What am I missing?
Thanks for the help!
There is no month_num field after stats, hence the sort fails. Try this
( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month month_num | sort - month_num | fields - month_num
There is no month_num field after stats, hence the sort fails. Try this
( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month month_num | sort - month_num | fields - month_num
I added the reverse command to your query and it worked exactly as I wanted it.
Thanks!
You could also, just remove hyphen from the sort command (which sorts in descending order) to use just sort month_num
.