Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sorting using date_XX fields with stats

Cuyose
Builder
‎06-02-2013 04:21 PM

I have been unable to find a solution that works for me, and I have a very simple and popular query. I want to simply report the total sales by day, and have it ordered by year,month, and day

My query is this
index = myindex sourcetype="mysourcetype" | stats sum(base_grand_total) by date_month, date_mday | sort - _time

I can'f for the life of me get the output sort order to be correct, I know that its treating the date_month, etc fields as text, so im confused at what to do

date_month date_mday sum(base_grand_total)
june 1 22066.1800
june 2 9552.6400
may 29 8233.2900
may 31 8231.5000
may 28 8132.7500
may 30 7445.8700
may 27 3606.7100
may 26 236.7100

Tags (2)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 06:58 PM

You can't sort on _time because that field is no longer there after the stats command.

I would write this search like this:

index=myindex sourcetype="mysourcetype" 
|  bucket _time span=1d
| stats sum(base_grand_total) as sum_total by date_month, date_mday,_time 
| sort - _time
|table date_month , date_mday, sum_total

I think most of it is pretty close to what you had but you can see I used the bucket command to group the results into one day bins. Then I include _time in the stats command so that I can sort based on it and then just show the fields we want with the table. You could probably just use _time and format that the way you want rather than including date_month and date_mday but that is really up to you.

0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 07:19 PM

Also, this is pretty much the same thing but you can try this as well.

mysearch | timechart sum(base_grand_total) as sum_total span=1d
|eval date=strftime(_time, "%b %d") | table date, sum_total

0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 07:12 PM

can you run it with out the table on the end and see what the time is for the duplicate rows?

0 Karma
Reply

Cuyose
Builder
‎06-02-2013 07:05 PM

Unfortunately this results in the same problem of sorting the results in a legible way, and this now has duplicate date rows.

date_month  date_mday   sum_total

1 june 2 6436.6500
2 june 3 903.6700
3 june 1 20379.2700
4 june 2 3349.7200
5 june 1 1686.9100
6 may 31 5851.2700
7 may 30 5361.5700
8 may 31 2380.2300
9 may 29 4433.4300
10 may 30 2084.3000
11 may 28 6883.4800
12 may 29 3799.8600

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...