Solved: Sort fields by date

baranova · ‎05-27-2014

Hello There ,

Basically I have some dates in this format :

01/13 700
02/13 600
...
01/14 500

I use these fields for a chart

I wanna sort them in calendar order but I get

01/14 531
02/14 513
03/14 545
04/13 145
04/14 94
05/13 198
06/13 14
07/13 143
08/13 1234
09/13 899
10/13 508
11/13 33

Could you Help me ?

dwaddle · ‎05-27-2014

Splunk's sort is lexicographical. Your data as-is won't sort right using a lexicographical approach. Let's borrow a pattern from Python (who borrowed it from lisp), Decorate-Sort-Undecorate

| rex field=datefield "(?<temp_mon>\d\d)/(?<temp_year>\d\d)"
| sort temp_year, temp_mon
| fields -temp_year,temp_mon

We add two new fields that sort in the right order, do the sort, then throw away the temporary fields. Result is data sorted like you wanted.

View solution in original post

baranova · ‎05-27-2014

Hello dwaddle and thanks for your quick answer. Works like a charm!

dwaddle · ‎05-27-2014

Splunk's sort is lexicographical. Your data as-is won't sort right using a lexicographical approach. Let's borrow a pattern from Python (who borrowed it from lisp), Decorate-Sort-Undecorate

| rex field=datefield "(?<temp_mon>\d\d)/(?<temp_year>\d\d)"
| sort temp_year, temp_mon
| fields -temp_year,temp_mon

We add two new fields that sort in the right order, do the sort, then throw away the temporary fields. Result is data sorted like you wanted.

Sort fields by date

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms