Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sorting using date_XX fields with stats

Cuyose
Builder
‎06-02-2013 04:21 PM

I have been unable to find a solution that works for me, and I have a very simple and popular query. I want to simply report the total sales by day, and have it ordered by year,month, and day

My query is this
index = myindex sourcetype="mysourcetype" | stats sum(base_grand_total) by date_month, date_mday | sort - _time

I can'f for the life of me get the output sort order to be correct, I know that its treating the date_month, etc fields as text, so im confused at what to do

date_month date_mday sum(base_grand_total)
june 1 22066.1800
june 2 9552.6400
may 29 8233.2900
may 31 8231.5000
may 28 8132.7500
may 30 7445.8700
may 27 3606.7100
may 26 236.7100

Tags (2)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 06:58 PM

You can't sort on _time because that field is no longer there after the stats command.

I would write this search like this:

index=myindex sourcetype="mysourcetype" 
|  bucket _time span=1d
| stats sum(base_grand_total) as sum_total by date_month, date_mday,_time 
| sort - _time
|table date_month , date_mday, sum_total

I think most of it is pretty close to what you had but you can see I used the bucket command to group the results into one day bins. Then I include _time in the stats command so that I can sort based on it and then just show the fields we want with the table. You could probably just use _time and format that the way you want rather than including date_month and date_mday but that is really up to you.

0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 07:19 PM

Also, this is pretty much the same thing but you can try this as well.

mysearch | timechart sum(base_grand_total) as sum_total span=1d
|eval date=strftime(_time, "%b %d") | table date, sum_total

0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎06-02-2013 07:12 PM

can you run it with out the table on the end and see what the time is for the duplicate rows?

0 Karma
Reply

Cuyose
Builder
‎06-02-2013 07:05 PM

Unfortunately this results in the same problem of sorting the results in a legible way, and this now has duplicate date rows.

date_month  date_mday   sum_total

1 june 2 6436.6500
2 june 3 903.6700
3 june 1 20379.2700
4 june 2 3349.7200
5 june 1 1686.9100
6 may 31 5851.2700
7 may 30 5361.5700
8 may 31 2380.2300
9 may 29 4433.4300
10 may 30 2084.3000
11 may 28 6883.4800
12 may 29 3799.8600

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...