Hello!
Im trying to sort a field based on the timestamp.
This is my current search command
sourcetype=log | eval date_readable=date_mday." ".date_month | stats count by date_readable
Using this search command, I'm able to produce the following graph in my dashboard.
Graph: http://i40.tinypic.com/2ai0zzn.png
However, the date is not sort in a correct sequence. Is there anyway for me to sort the date_readable field according to timestamp?
Thanks!
Well, from what it looks like in the picture, it is sorted on date_readable
. Unfortunately for you, date_readable
has no special meaning to Splunk - it's just a string.
I'd suggest that you do the following instead;
sourcetype=log | timechart span=1d count
That will sort it automatically.
UPDATE:
linu1988 has a point here - there is a difference between _time
and the date_*
fields. In your original search query, you used the date_*
fields, but the timechart
approach I suggested uses _time
.
See lguinns excellent explanation here;
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields
/K
because it's still a string not a date.
Convert into time using strftime()/ convert then do a sort then chart...
Well, from what it looks like in the picture, it is sorted on date_readable
. Unfortunately for you, date_readable
has no special meaning to Splunk - it's just a string.
I'd suggest that you do the following instead;
sourcetype=log | timechart span=1d count
That will sort it automatically.
UPDATE:
linu1988 has a point here - there is a difference between _time
and the date_*
fields. In your original search query, you used the date_*
fields, but the timechart
approach I suggested uses _time
.
See lguinns excellent explanation here;
http://answers.splunk.com/answers/99451/variance-betweeen-time-and-date-fields
/K
sourcetype=log | timechart span=1d count works for me! Thanks a lot! (:
If the eventtime is matching with the log time, if not _time needs to assigned from logs then chart...