hi
My requirement is to create a graph for incident vs time and sort them according to my field opened_at.
But while sorting what i observe is it sorts only by one thing,either year or month or date.
So now i have dates as Mar 2015,Feb,2018,Feb 2015,March 2016.
I want the sorted form as Mar 2015,Feb,2015,March 2016, Feb 2018.
Thank you
Move your time formatting after the stats command
Replace
... | eval time=strftime(time,"%b %Y") | stats count(number) by time
With
... | stats count(number) by time | eval time=strftime(time,"%b %Y")
The time was in epoch format, so it'll sort correctly. You can just format it to user friendly after stats so sorting is maintained. With strftime invoke earlier, the timestamp is converted to string and sorting is done alphabetically not chronologically.
hey somesoni2
Thanks for replying my query.
I had already tried the solution which you gave ... | stats count(number) by time | eval time=strftime(time,"%b %Y")
issue with this is the incidents gets grouped by day not month.
Like earlier all the incidents for a given month were in same bar but now there are individual bars for every day.
I need to group it by months.