Splunk Search
Highlighted

Why isn't my search sorting events chronologically by month?

Communicator

I'm executing the following search to generate a report with columns sorted chronologically by month:

( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month | sort - month_num

date_month = month field taken from the events' data

Splunk can't still interpret the chronological order of the months.

What am I missing?

Thanks for the help!

0 Karma
Highlighted

Re: Why isn't my search sorting events chronologically by month?

SplunkTrust
SplunkTrust

There is no month_num field after stats, hence the sort fails. Try this

( ... ) | eval month_num = strftime( _time ,"%m" ) | stats count by date_month month_num | sort - month_num | fields - month_num

View solution in original post

0 Karma
Highlighted

Re: Why isn't my search sorting events chronologically by month?

Communicator

I added the reverse command to your query and it worked exactly as I wanted it.

Thanks!

0 Karma
Highlighted

Re: Why isn't my search sorting events chronologically by month?

SplunkTrust
SplunkTrust

You could also, just remove hyphen from the sort command (which sorts in descending order) to use just sort month_num.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.