https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407287#M7010 <P>I have a few instances where I will get status events for when jobs are running very quickly and appear as the same timestamp in splunk. When this happens I will get a RUNNING status event after a SUCCESS event, which in fact should be reversed. I am doing processing to get the latest status for certain jobs and this causes a problem with that.</P> <P>Here is an example below, as you see the two events have an identical timestamp but have been pulled in in reverse order. How do i properly get the latest event when the timestamp is shared like this?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6385iD04ABCBF7F934AEA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 16 Jan 2019 20:21:14 GMT x213217 2019-01-16T20:21:14Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407287#M7010 <P>I have a few instances where I will get status events for when jobs are running very quickly and appear as the same timestamp in splunk. When this happens I will get a RUNNING status event after a SUCCESS event, which in fact should be reversed. I am doing processing to get the latest status for certain jobs and this causes a problem with that.</P> <P>Here is an example below, as you see the two events have an identical timestamp but have been pulled in in reverse order. How do i properly get the latest event when the timestamp is shared like this?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6385iD04ABCBF7F934AEA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 16 Jan 2019 20:21:14 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407287#M7010 x213217 2019-01-16T20:21:14Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407288#M7011 <P>You can |sort - _time statusCode</P> Wed, 16 Jan 2019 20:25:45 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407288#M7011 Vijeta 2019-01-16T20:25:45Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407289#M7012 <P>Unfortunately cannot use that field to sort as for events for Starting Running &amp; Success statuses...these have statusCodes of 3, 1, 4 respectively so the order does not match an increasing pattern</P> Wed, 16 Jan 2019 20:32:32 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407289#M7012 x213217 2019-01-16T20:32:32Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407290#M7013 <P>you can assign your own values, using eval and if and sort based on new field.</P> <PRE><CODE>eval status=if(statusCode=1,P2,if(statusCode=3,P1, if(statusCode=4,P4))) </CODE></PRE> Wed, 16 Jan 2019 20:37:37 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407290#M7013 Vijeta 2019-01-16T20:37:37Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407291#M7014 <P>Looks like you need to add <CODE>ms</CODE> to your logging for better granularity and correct ordering. Your jobs are running and completing in under a second. Nothing Splunk can do to fix this </P> Wed, 16 Jan 2019 20:56:11 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407291#M7014 skoelpin 2019-01-16T20:56:11Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407292#M7015 <P>what about sorting by index time? This is how you get index time even though your _time is same but indextime will not be same.</P> <P>| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")<BR /> | sort - indextime</P> Thu, 17 Jan 2019 18:35:00 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407292#M7015 sdchakraborty 2019-01-17T18:35:00Z https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407293#M7016 <P>This did work for me. I wonder if it would "break" if we ever have to backfill data, though.</P> Wed, 04 Sep 2019 17:50:09 GMT https://community.splunk.com/t5/Splunk-Dev/Ordering-Events-that-arrive-with-the-same-timestamp-but-are-out/m-p/407293#M7016 dottey 2019-09-04T17:50:09Z