Solved: help for sorting time

jip31 · ‎10-30-2020

hello

I use a time field like this but I am unable to sort the time with descending sort

How to do this please?

| eval time = strftime(_time, "%m/%d/%Y %H:%M") 
| rename time as "Event time" 
| table "Event time" 
| sort "Event time"

gcusello · ‎10-30-2020

to sort time fields you have to convert them in epochtime.

In your case, _time is already in epochtime so you have only to change the order of your commands:

| sort -_time
| eval "Event time" = strftime(_time, "%m/%d/%Y %H:%M") 
| table "Event time"

Ciao.

Giuseppe

gcusello · ‎10-30-2020

to sort time fields you have to convert them in epochtime.

In your case, _time is already in epochtime so you have only to change the order of your commands:

| sort -_time
| eval "Event time" = strftime(_time, "%m/%d/%Y %H:%M") 
| table "Event time"

Ciao.

Giuseppe

jip31 · ‎10-31-2020

Thanks Giuseppe

gcusello · ‎10-31-2020

good for you.

ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

help for sorting time