https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108201#M28148 <P>You're doing "top" as the second command in that search. top generates statistics on events and returns the aggregated statistics for the events, so the details for those events (including timestamp) will not be available after running top. This is why sorting by _time does not work in this search. What is it you want the search to show?</P> Thu, 10 Nov 2011 15:59:33 GMT Ayn 2011-11-10T15:59:33Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108196#M28143 <P>I have a dashboard with a few table views. I want the first event to be the most recent event (so sort by most recent event) - like the way they are displayed by default when you do a search. I do not have a time stamp field.</P> Thu, 10 Nov 2011 12:47:11 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108196#M28143 mcbradford 2011-11-10T12:47:11Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108197#M28144 <P>You always have a timestamp field! It's called <CODE>_time</CODE> and by sorting descending by it you get the most recent events first.</P> <PRE><CODE>... | sort - _time </CODE></PRE> Thu, 10 Nov 2011 12:53:52 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108197#M28144 Ayn 2011-11-10T12:53:52Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108198#M28145 <P>I tried this and it did not work, so instead I tried | top _time, field1, field2 and this works. The only problem this creates is field1 might be repeated. If I dedup field one, I get less than 10 results.</P> Thu, 10 Nov 2011 13:39:30 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108198#M28145 mcbradford 2011-11-10T13:39:30Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108199#M28146 <P>You need to specify how it "did not work". What does your search look like? What does your dashboard XML look like? By default Splunk is returning the latest events first, so if the events in your table are sorted in any other order that implies you are doing something else in your search that interferes with that default behaviour.</P> Thu, 10 Nov 2011 13:56:54 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108199#M28146 Ayn 2011-11-10T13:56:54Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108200#M28147 <P>index=myindex action="AUTHN_LOGIN_EVENT" result="SUCCESS" my-Users earliest=-24h | top login_name, last_name, first_name | eval emp_name=last_name. ", " .first_name|rename emp_name as "Employee Name" | rename login_name as User-ID | table "User-ID" "Employee Name"| sort - _time<BR /> <TITLE>Successful My Users</TITLE></P> <P>This will not sort by _time</P> Mon, 28 Sep 2020 10:05:07 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108200#M28147 mcbradford 2020-09-28T10:05:07Z https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108201#M28148 <P>You're doing "top" as the second command in that search. top generates statistics on events and returns the aggregated statistics for the events, so the details for those events (including timestamp) will not be available after running top. This is why sorting by _time does not work in this search. What is it you want the search to show?</P> Thu, 10 Nov 2011 15:59:33 GMT https://community.splunk.com/t5/Splunk-Search/sorting-by-latest-event-dashboard-table/m-p/108201#M28148 Ayn 2011-11-10T15:59:33Z