https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310082#M19795 <P>can you try <CODE>sort- 0 Time</CODE> at the end of the search?</P> Fri, 23 Feb 2018 11:23:32 GMT mayurr98 2018-02-23T11:23:32Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310080#M19793 <P>Hi,</P> <P>I've built a real time dashboard but I am seeing some strange issues.<BR /> So on the dashboard page itself, it displays perfectly without any issues.<BR /> But when I make it my home dashboard, the time inverts and starts showing the oldest events at the top.</P> <P>I have no idea why this is happening.</P> <P>Below are some screenshots of the search and the time settings.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="Dashboard view"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4440iFDA8368ED413ABAA/image-size/large?v=v2&amp;px=999" role="button" title="Dashboard view" alt="Dashboard view" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="Home page dashboard"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4441i780D0BC12A2E48CD/image-size/large?v=v2&amp;px=999" role="button" title="Home page dashboard" alt="Home page dashboard" /></span></P> Fri, 23 Feb 2018 10:15:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310080#M19793 FraserC1 2018-02-23T10:15:39Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310081#M19794 <P>I cannot post anymore photos, so here is the search:</P> <PRE><CODE>severity_name=alert OR severity_level=alert OR severity_name=critical OR severity_level=critical OR severity_name=emergency OR severity_level=emergency OR severity_name=error OR severity_level=error OR severity_name=informational OR severity_level=informational OR severity_name=notification OR severity_level=notification OR severity_name=warning OR severity_level=warning |fields eventtype </CODE></PRE> <P>The time is set to: rt-23h &amp; rtnow</P> Fri, 23 Feb 2018 10:17:28 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310081#M19794 FraserC1 2018-02-23T10:17:28Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310082#M19795 <P>can you try <CODE>sort- 0 Time</CODE> at the end of the search?</P> Fri, 23 Feb 2018 11:23:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310082#M19795 mayurr98 2018-02-23T11:23:32Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310083#M19796 <P>Hi There,</P> <P>Sorry I should have said I was added sort - _time at the end of the search and it didn't make a difference.</P> <P>Interestingly, it seems to have sorted itself out. I'm nt sure if there is some sort of delay or something like that. I've found the custom dashboards to be fairly difficult to set up.</P> Fri, 23 Feb 2018 11:26:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310083#M19796 FraserC1 2018-02-23T11:26:29Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310084#M19797 <P>can you provide entire query?</P> Fri, 23 Feb 2018 11:29:54 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310084#M19797 mayurr98 2018-02-23T11:29:54Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310085#M19798 <P>Sorry what do you mean the entire query?<BR /> The only thing I'm searching is with <CODE>severity_name=alert OR severity_level=alert OR severity_name=critical OR severity_level=critical OR severity_name=emergency OR severity_level=emergency OR severity_name=error OR severity_level=error OR severity_name=informational OR severity_level=informational OR severity_name=notification OR severity_level=notification OR severity_name=warning OR severity_level=warning |fields eventtype</CODE></P> Fri, 23 Feb 2018 11:40:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310085#M19798 FraserC1 2018-02-23T11:40:27Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310086#M19799 <P>try in ascending order <CODE>sort _time</CODE><BR /> also can you try <CODE>| rtorder discard=t</CODE> ?<BR /> Also try <CODE>| sort -_indextime</CODE></P> <P>let me know if any of the above works!</P> Fri, 23 Feb 2018 12:23:24 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310086#M19799 mayurr98 2018-02-23T12:23:24Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310087#M19800 <P>Hi there, I tried | rtorder discard=t and it sorted it!<BR /> Are you able to explain what this statement does? Or maybe there is documentation on it?</P> <P>Thanks for the help!</P> Fri, 23 Feb 2018 14:49:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310087#M19800 FraserC1 2018-02-23T14:49:36Z https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310088#M19801 <P>Yes there is a good documentation on rtorder command <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Rtorder">https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Rtorder</A></P> <P>Accept the answer if it solves your problem!</P> Fri, 23 Feb 2018 14:53:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Real-Time-Dashboard-issues/m-p/310088#M19801 mayurr98 2018-02-23T14:53:04Z