data is displayed by alphabetic order of the month name when using date_month to sort

Question

In 4.2.x, instead of June, July, August, September, the data listed as August, July, June, September. Data is displayed by alphabetic order of the month name.

Data is displayed by alphabetic order of the month name when it should be logical.

* |stats count as "Total Incident/month" by date_month

alt text

Answer 1

0	This is a bug. Bug#SPL-43691 link answered 28 Sep '11, 15:02 Splunker_J ♦ 1.1k●5●6●31 accept rate: 62%

Answer 2

0	This is not a bug. If you do want to sort by month, then you can place the month number in a field and sort on that, e.g.: `... \| eval date_numericmonth=strftime(_time,"%m") \| stats count by date_numericmonth` link answered 28 Sep '11, 20:30 gkanapathy ♦ 32.6k●4●8●27 accept rate: 41%

Answer 3

0

I would change something slightly with gkanapathy's answer. Prefix the date_numeric_month with an underscore to make it hidden and add the month name within the query.

In this example I am getting the count of user_ids per month:

... | eval _date_numeric_month=strftime(_time,"%m") | stats count(user_id) by _date_numeric_month, date_month | sort _date_numeric_month

link

answered 22 Nov '11, 03:13

ag
16●1
accept rate: 0%

data is displayed by alphabetic order of the month name when using date_month to sort

Follow this question

Splunk Resources

Related questions