Splunk Search

date sorting numerically not alphabetically

aaronkorn
Splunk Employee
Splunk Employee

Hello,

We have the following search in a chart but the dates are sorting alphabetically rather than numerically. ie Aug 1, Aug 2, Jul 29, Jul 30 and not Jul 29, Jul 30, Aug 1, Aug 2.

index=reporter | dedup TKT_NUMBER | eval time=strftime(_time, "%b %d") | bucket time span=1d | chart count over NOTIFY_GROUP by time useother=f | rename NOTIFY_GROUP AS Group

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

Thanks for your response. I tried the code but still not the result I was looking for: alt text

0 Karma

Ayn
Legend

That's because you're sorting by an alphanumeric field - Splunk doesn't know what the string you're sorting by represents. It's a better idea to sort by _time but have it display as something more human readable.

index=reporter | dedup TKT_NUMBER | bucket _time span=1d | chart count over NOTIFY_GROUP by _time useother=f | rename NOTIFY_GROUP as GROUP | fieldformat _time=strftime(_time,"%b %d")
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...