topic Re: presenting logs in reverse order in Splunk Search

presenting logs in reverse order

a212830 — Fri, 11 Jul 2014 14:13:24 GMT

hI,

The default mode for Splunk is to show the most recent activity first. How can I show the logs from, say midnight to now, rather than now to midnight.

Re: presenting logs in reverse order

Jeff_Lightly_Sp — Fri, 11 Jul 2014 14:20:36 GMT

Using REVERSE may do the job for you:

| reverse

Re: presenting logs in reverse order

somesoni2 — Fri, 11 Jul 2014 14:21:20 GMT

There is no setting to changes the Splunk's default chronological order of showing events (most recent to oldest). You can use "reverse" command to show events in opposite order.

See this
http://answers.splunk.com/answers/1691/how-to-reverse-the-order-of-displayed-events

Re: presenting logs in reverse order

agodoy — Fri, 11 Jul 2014 14:29:18 GMT

I have found that the reverse command gives unexpected results, specially when there are a lot of events returned. Therefore, I use the sort command on the _time field.

<your search> | sort +_time

Re: presenting logs in reverse order

somesoni2 — Fri, 11 Jul 2014 14:48:13 GMT

The only problem with sort is that it doesn't handle events with same timestamp well like reverse does. Otherwise if there won't be events with same timestamp or you don't care about the order in that case, sort _time can be used.