https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93928#M24179 <P>Thank you.</P> Mon, 09 Jul 2012 20:21:38 GMT shangshin 2012-07-09T20:21:38Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93926#M24177 <P>Hi, I tried to format the eventtime and would like to show the latest time event first. However, the search string below always displays the oldest event first, What's even weird is that when I clicked on the Time header in the table, the column is still not sorted. I am wondering if anyone can shed some light on this? Thank you!</P> <P>| bucket _time span=60m | eval Time=strftime(_time, "%m/%d %H:%M %Z") | STATS avg(time_taken) AS AverageResponseTime BY Time | sort by Time desc</P> Mon, 28 Sep 2020 12:02:48 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93926#M24177 shangshin 2020-09-28T12:02:48Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93927#M24178 <P>Your syntax is a little off. Have a look at sort's syntax here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort</A></P> <P>This should work better:</P> <PRE><CODE>... | sort - Time </CODE></PRE> Mon, 09 Jul 2012 19:51:26 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93927#M24178 Ayn 2012-07-09T19:51:26Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93928#M24179 <P>Thank you.</P> Mon, 09 Jul 2012 20:21:38 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93928#M24179 shangshin 2012-07-09T20:21:38Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93929#M24180 <P>Hello, it doesn't seems to work for me <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /> The source type is log4j logs. Splunk (light) successfully parsed date/time and shows me separate column in search results with name "Time". I tried (with space and without space after minus):<BR /> | sort -Time<BR /> | sort -_time</P> <P>Whatever I do it just ignore and sort results ascending.<BR /> I figured out that if I put wrong field name it does the same. The name "_time" I tried to use because when you click on the value in Time column it shows option to show events before or auto and tell me that the field name is "_time". Could you make any suggestion please?</P> Tue, 29 Sep 2020 08:17:16 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93929#M24180 dmorozov 2020-09-29T08:17:16Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93930#M24181 <P>If you are trying to sort by the extracted timestamp, then _time is what you want to use i.e.</P> <PRE><CODE>| sort -_time </CODE></PRE> <P>I just hit this and it was driving me nuts as I was using Time and not seeing the expected result.</P> Tue, 28 Jun 2016 21:09:02 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93930#M24181 gblock_splunk 2016-06-28T21:09:02Z https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93931#M24182 <P>Hi there, this answer isn't working for me. Here's the query I'm typing:</P> <PRE><CODE>name@email.com | sort - Time </CODE></PRE> <P>And in the output I'm seeing:</P> <PRE><CODE>Time 5/2/19 7:38:41.000 PM 5/2/19 7:38:44.769 PM 5/2/19 7:38:44.000 PM </CODE></PRE> <P>So, not only is the order not <EM>descending</EM>, but it's not even <EM>sorted</EM>. Splunk is ignoring my sort directive altogether and is just doing whatever it wants instead.</P> <P>Please advise?<BR /> Thanks</P> Thu, 02 May 2019 17:55:13 GMT https://community.splunk.com/t5/Splunk-Search/sort-by-Time-desc/m-p/93931#M24182 evanriegel 2019-05-02T17:55:13Z