Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sort my search events by week?

ronniemakhombi
Explorer
‎12-17-2018 01:32 AM

I am new to Splunk. I am having a problem sorting my search results by week. I tried using the following dates as my earliest and latest dates as: 

| earliest="08/06/2018" latest="30/06/2018"

The following is a snippet for my events.

DATE,Number,Count,Amount
08/06/2018,267774,1,5
08/06/2018,267721,1,5
30/06/2018,2677759,1,5

Please help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-17-2018 01:50 AM

@ronniemakhombi,

Try using the week number in the sorting

your search|eval week_no=strftime( strptime(DATE,"%d/%m/%Y"),"%V")|sort week_no
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 05:10 AM

Hi Renjith. The following is the output I received from

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

I want to sort them as Week 1, Week 2, Week 3, Week 4

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 06:24 AM

@ronniemakhombi,
Alright.
Try

"your current search"|sort week_1|streamstats count as _rowno|eval week_1="Week"._rowno
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 02:28 AM

Hi
renjith, Kindly explain ( strptime(DATE,"%d/%m/%Y"),"%V"). i used it as | eval week_1=strftime( strptime(DATE,"08/06/2018"),"%V")

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 02:35 AM

strptime(DATE,"%d/%m/%Y") converts your DATE to an epoch time. Lets assume the field as e
strftime(e,"%V") extracts the week number from that.

So it can be splitted into two steps as well

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

Hope that helps

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 04:35 AM

It worked thanx! It grouped my search results into 4. For the future, using

|eval time_in_epoch=strptime(DATE,"%d/%m/%Y")
|eval week_1=strftime(time_in_epoch,"%V")

How can I have the results displaying week 1, week 2, week 3 and week 4.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-17-2018 04:39 AM

Hows your output looks like now? Are there only 4 rows and the count is per week and sorted?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ronniemakhombi
Explorer
‎12-17-2018 06:16 AM

There are 4 rows and the count. These rows are as 23, 24, 25, 26 (These are not sorted), however, the count is sorted.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...