Re: Sorting timewrap output

jsburt · ‎01-23-2018

I doing a search and timecharting the results which I then stream into timewrap.

My timechart contains (for instance) bob.com, charlie.com and delta.com

After I pipe this into timewrap, I get the following ordering:
bob.com.2018_01_02, charlie.com_2018_01_02, delta.com_2018_01_02, bob.com_2018_01_09, charlie.com_2018_01_09, delta.com_2018_01_09

Why aren't I seeing results from "today" 2018_01_23?

And how can I sort the columns so the "bob"s, "charlie"s, and "delta"s are adjacent to each other?

My SPL is as follows:
... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort metadata_recipient_email_domain

mayurr98 · ‎01-24-2018

let me know if get results!

jsburt · ‎01-24-2018

Thank you for this suggestion.
It seems as though this solution sorts the resultant rows in time order.
I really want to change the sort order of the columns themselves so all the "bob" columns appear next to each other (as opposed to the default order where each time period is next to each other).

mayurr98 · ‎01-24-2018

try this

... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort- _time | fields _time bob* charlie* delta*

jsburt · ‎01-24-2018

This worked like a champ - thank you.
And since I don't know all the column names, I was able to use "fields _time, *" and the columns sort correctly.

mayurr98 · ‎01-24-2018

If you deem a posted answer as valid and helpful to your solving of the issue, please accept said answer so that this question no longer appears open.

Sorting timewrap output

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?