https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445599#M167625 <P>Thanks for the advice. This is really helping me get an idea of what I can do with splunk reporting</P> <P>It seams whatever I do causes problems when I want to sort oldest first. I also found the "|reverse| command which is a little simpler since I don't have to worry I am messing up the date format string. I find that all the regular and reverse queries appear to yield the same number of records, when I export to CSV, the report lengths are quite different. </P> <P>Adding "NOT" to my queries seems to be the culprit . For example , the following query is missing event records when I try to sort oldest first. </P> <PRE><CODE> (host=somehost AND "this_string" NOT "that_string") | sort _time </CODE></PRE> <P>But the following query is does show all records </P> <PRE><CODE> (host=somehost AND "this_string" OR "that_string") | sort _time </CODE></PRE> Fri, 07 Sep 2018 16:08:04 GMT echelon101 2018-09-07T16:08:04Z https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445596#M167622 <P>When I do a sort, the records show up newest first. I will typically search for events on the duration of a week or a month. If I add "| sort time" or "| sort _time" , the records will show up oldest first. The count of events does not change but I am missing events from the first day or two. </P> <P>For example, with the time picker selecting all of July </P> <PRE><CODE> (host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03") </CODE></PRE> <P>will return 89 records, including all 3 days. </P> <P>However, </P> <PRE><CODE> (host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03") | SORT time </CODE></PRE> <P>will return 89 records, oldest first, but does not include "2018-07-01"</P> <P>Using <BR /> | SORT -time </P> <P>will return 89 records, newest first, but does not include "2018-07-01"</P> Thu, 06 Sep 2018 18:54:11 GMT https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445596#M167622 echelon101 2018-09-06T18:54:11Z https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445597#M167623 <P>Always do <CODE>| sort _time</CODE> and tell me if after that the events still get lost in the void.</P> Thu, 06 Sep 2018 19:33:58 GMT https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445597#M167623 horsefez 2018-09-06T19:33:58Z https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445598#M167624 <P>I have tried the following</P> <P>| sort _time<BR /> | sort -_time<BR /> | sort time <BR /> | sort -time</P> <P>with the same results.</P> <P>If I look at an event log fields in a recent event I see that <BR /> time = 2018-08-27 08:14:26<BR /> _time = 2018-08-27T08:08:11.000-04:00 </P> <P>The problem may be occurring in search queries that are relatively complex (e.g. where I search for firewall events and have a log "NOT (this OR that OR ...) " statement to filter out events that aren't of interest. I tried to make sure that the entire query prior to the " | sort .... " entry was in (). </P> Tue, 29 Sep 2020 21:09:32 GMT https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445598#M167624 echelon101 2020-09-29T21:09:32Z https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445599#M167625 <P>Thanks for the advice. This is really helping me get an idea of what I can do with splunk reporting</P> <P>It seams whatever I do causes problems when I want to sort oldest first. I also found the "|reverse| command which is a little simpler since I don't have to worry I am messing up the date format string. I find that all the regular and reverse queries appear to yield the same number of records, when I export to CSV, the report lengths are quite different. </P> <P>Adding "NOT" to my queries seems to be the culprit . For example , the following query is missing event records when I try to sort oldest first. </P> <PRE><CODE> (host=somehost AND "this_string" NOT "that_string") | sort _time </CODE></PRE> <P>But the following query is does show all records </P> <PRE><CODE> (host=somehost AND "this_string" OR "that_string") | sort _time </CODE></PRE> Fri, 07 Sep 2018 16:08:04 GMT https://community.splunk.com/t5/Splunk-Search/Help-sorting-by-time-results-in-lost-records/m-p/445599#M167625 echelon101 2018-09-07T16:08:04Z