Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to sort date in header level

avikc100
Path Finder
‎01-04-2024 02:54 PM

this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024....

index="*" source="*" |eval
timestamp=strftime(_time, "%m/%d/%Y")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp

 

avikc100_0-1704408791144.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-04-2024 03:21 PM

There is no good way to sort column using mm/dd/yyyy format.  What's wrong with yyyy-mm-dd?

index="*" source="*" |eval
timestamp=strftime(_time, "%F")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-04-2024 04:51 PM

Hi @avikc100 

Basically in Splunk the time and date operations should be done like this:

1) Splunk has an event's timestamp in some format (dd-mm-yy aa:bb:cc dddd). 

2) convert that to epoch timestamp (use strptime)

----- strptime(<str>, <format>)
------Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format you specify. 

3) then do sorting, comparison operations on the epoch timestamp.

4) and then convert back to human readable timestamp (use strftime)
------strftime(<time>,<format>)
------This function takes a UNIX time value and renders the time as a string using the format specified.

 

if any reply helped you, then, karma  / upvotes  appreciated, thanks. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-04-2024 03:35 PM

Something like this should sort your column in the intended order with the time format requested.

 

 

 

 

<base_search>
    ``` bucket _time into each respective day ```
    | bucket span=1d _time
    ``` transform data in a normal Splunk friendly timeseries format ```
    | chart
        count as count
            over _time
            by DFOINTERFACE
    ``` ensure ascending order of _time field ```
    | sort 0 +_time
    ``` format timestamp as desired ```
    | eval
        timestamp=strftime(_time, "%m/%d/%Y")
    ``` remove _time field (no longer needed) ```
    | fields - _time
    ``` transpose table (this should retain the sort order of date ```
    ``` note: transpose has default limits on number of columns that will display. The 25 here is saying allow at the most 25 columns to be available before truncation occurs. ```
    | transpose 25 header_field=timestamp column_name=DFOINTERFACE

 

 

 

 

Example output:

dtburrows3_0-1704411303205.png

This is basically the same question that was asked here.
https://community.splunk.com/t5/Splunk-Search/how-to-report-based-on-date/m-p/673054

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-04-2024 03:21 PM

There is no good way to sort column using mm/dd/yyyy format.  What's wrong with yyyy-mm-dd?

index="*" source="*" |eval
timestamp=strftime(_time, "%F")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...