Hi
I have a date field called Time_Line(01-Jan-13) in my source file.
My search query is:
source=foo
| eval startdate=strptime("01-JAN-13","%d-%b-%y")
| eval enddate=strptime("31-DEC-13","%d-%b-%y")
| eval timein=strptime(Time_Line,"%d-%b-%y")
| eval month =strftime(timein,"%b")
| table line_id,startdate,enddate,timein,month
| stats count(line_id) as cnt by month
My results will be:
month cnt
Apr 6684
Aug 9120
Dec 9925
Jan 3692
Feb 2564
But i want the months to be sorted according to the calender.
Please help me in this.
Thanking you in advance
Try this: (changes in line 3 and 5)
source=foo | eval startdate=strptime("01-JAN-13","%d-%b-%y") | eval enddate=strptime("31-DEC-13","%d-%b-%y") | eval timein=strptime(Time_Line,"%d-%b-%y")
| eval month =strftime(timein,"%m")."#".strftime(timein,"%b")
| table line_id,startdate,enddate,timein,month | stats count(line_id) as cnt by month
| eval month=replace(month,"^(\d{2}#)","")
Try this: (changes in line 3 and 5)
source=foo | eval startdate=strptime("01-JAN-13","%d-%b-%y") | eval enddate=strptime("31-DEC-13","%d-%b-%y") | eval timein=strptime(Time_Line,"%d-%b-%y")
| eval month =strftime(timein,"%m")."#".strftime(timein,"%b")
| table line_id,startdate,enddate,timein,month | stats count(line_id) as cnt by month
| eval month=replace(month,"^(\d{2}#)","")
I've done something similar, but not with the stats() command so your result may vary. I added a mapping between my data and a hidden sort field.
' ... | eval monthno=case(month="Jan",1,month="Feb",2,month="Mar",3,month="Apr",4,month="May",5, month="Jun",6,month="Jul",7,month="Aug",8,month="Sep",9,month="Oct",10,month="Nov",11,month="Dec",12) | sort monthno | table ...'