Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to sort date in header level

avikc100
Path Finder
‎01-04-2024 02:54 PM

this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024....

index="*" source="*" |eval
timestamp=strftime(_time, "%m/%d/%Y")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp

 

avikc100_0-1704408791144.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-04-2024 03:21 PM

There is no good way to sort column using mm/dd/yyyy format.  What's wrong with yyyy-mm-dd?

index="*" source="*" |eval
timestamp=strftime(_time, "%F")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-04-2024 04:51 PM

Hi @avikc100 

Basically in Splunk the time and date operations should be done like this:

1) Splunk has an event's timestamp in some format (dd-mm-yy aa:bb:cc dddd). 

2) convert that to epoch timestamp (use strptime)

----- strptime(<str>, <format>)
------Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format you specify. 

3) then do sorting, comparison operations on the epoch timestamp.

4) and then convert back to human readable timestamp (use strftime)
------strftime(<time>,<format>)
------This function takes a UNIX time value and renders the time as a string using the format specified.

 

if any reply helped you, then, karma  / upvotes  appreciated, thanks. 

 

Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-04-2024 03:35 PM

Something like this should sort your column in the intended order with the time format requested.

 

 

 

 

<base_search>
    ``` bucket _time into each respective day ```
    | bucket span=1d _time
    ``` transform data in a normal Splunk friendly timeseries format ```
    | chart
        count as count
            over _time
            by DFOINTERFACE
    ``` ensure ascending order of _time field ```
    | sort 0 +_time
    ``` format timestamp as desired ```
    | eval
        timestamp=strftime(_time, "%m/%d/%Y")
    ``` remove _time field (no longer needed) ```
    | fields - _time
    ``` transpose table (this should retain the sort order of date ```
    ``` note: transpose has default limits on number of columns that will display. The 25 here is saying allow at the most 25 columns to be available before truncation occurs. ```
    | transpose 25 header_field=timestamp column_name=DFOINTERFACE

 

 

 

 

Example output:

dtburrows3_0-1704411303205.png

This is basically the same question that was asked here.
https://community.splunk.com/t5/Splunk-Search/how-to-report-based-on-date/m-p/673054

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-04-2024 03:21 PM

There is no good way to sort column using mm/dd/yyyy format.  What's wrong with yyyy-mm-dd?

index="*" source="*" |eval
timestamp=strftime(_time, "%F")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...