Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to sort by month in chronological order?

demkic
Explorer
‎03-17-2017 12:10 PM

I have the following search, and it is currently displaying a graph grouped by day of the month but not in chronological order.

base query |bucket _time span=1d | eval day=strftime(_time,"%b %d, %y") | stats count as total by day | streamstats avg(total) | sort -day

How can I tweak this to add in the x-axis the months going from Dec 1, 16; Dec 2, 16 ..... Jan 1, 17; Jan 2, 17; .... Feb .... Mar.
It is currently displaying, December, Feb, Jan, Mar (in alphabetical order).

Thank you

Best,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎03-17-2017 12:27 PM

You have to change the order of things. Do the strftime statement after the sortand some other minor things.

base query 
| bucket _time span=1d 
| stats count as total by _time 
| streamstats avg(total) 
| sort -_time
| eval day=strftime(_time,"%b %d, %y") 
| table day total avg(total)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-17-2017 02:02 PM

Just as a general strategy, it would be good to train your users to read "2017-01-31", which means your data will always sort in the correct order.

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎03-17-2017 12:27 PM

You have to change the order of things. Do the strftime statement after the sortand some other minor things.

base query 
| bucket _time span=1d 
| stats count as total by _time 
| streamstats avg(total) 
| sort -_time
| eval day=strftime(_time,"%b %d, %y") 
| table day total avg(total)
0 Karma
Reply
Solved! Jump to solution

abhishekroy168
Path Finder
‎03-05-2018 02:45 AM

I downvoted this post because doesnt works.

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎03-05-2018 03:31 AM

Can you clarify what doesn't work or share more details about your search? My token example works fine for me.

index= _internal earliest=-30d
 | fields _time
 | bucket _time span=1d 
 | stats count as total by _time 
 | streamstats avg(total) 
 | sort -_time
 | eval day=strftime(_time,"%b %d, %y") 
 | table day total avg(total)

day| total | avg(total)
Mar 05, 18|3349|85247.33333333333
Mar 03, 18|4107|101627
Feb 18, 18|66397|126007
Feb 17, 18|227887|145877
Feb 16, 18|171441|104872
Feb 15, 18|38303|38303

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...