Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Sorting timewrap output
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorting timewrap output
I doing a search and timecharting the results which I then stream into timewrap.
My timechart contains (for instance) bob.com, charlie.com and delta.com
After I pipe this into timewrap, I get the following ordering:
bob.com.2018_01_02, charlie.com_2018_01_02, delta.com_2018_01_02, bob.com_2018_01_09, charlie.com_2018_01_09, delta.com_2018_01_09
Why aren't I seeing results from "today" 2018_01_23?
And how can I sort the columns so the "bob"s, "charlie"s, and "delta"s are adjacent to each other?
My SPL is as follows:
... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort metadata_recipient_email_domain
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort- _time | fields _time bob* charlie* delta*
let me know if get results!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for this suggestion.
It seems as though this solution sorts the resultant rows in time order.
I really want to change the sort order of the columns themselves so all the "bob" columns appear next to each other (as opposed to the default order where each time period is next to each other).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort- _time | fields _time bob* charlie* delta*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked like a champ - thank you.
And since I don't know all the column names, I was able to use "fields _time, *" and the columns sort correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
