- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timeformat not sorting properly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using this search:
sourcetype="foo" name="foobar*" | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category | sort - Time
The sort is not working. can anyone suggest what it is I am doing wrong with the sort or timeformat and how to fix it???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. Timestamps is just a number before you convert the format so it sorts correctly so you need to sort t=he time before you convert the format like this.
sourcetype="foo" name="foobar*" | sort - _time | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. Timestamps is just a number before you convert the format so it sorts correctly so you need to sort t=he time before you convert the format like this.
sourcetype="foo" name="foobar*" | sort - _time | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | table Time Date host name category | rename host as Server name as Name category as Category
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope sorry this does not work in the search. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this works for | sort Time |
it does not work for | sort - Time |
I can use it though. please put it in as an answer so I can give you credit for the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I'm wrong but should it work if :
sourcetype="foo" name="foobar*" | convert timeformat="%m/%d/%Y - %a" ctime(_time) AS Date | convert timeformat="%H:%M:%S.%N" ctime(_time) AS Time | sort - Time | table Time Date host name category | rename host as Server name as Name category as Category
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
