https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167682#M47744 <P>its working perfect... thanks a ton.......</P> Tue, 06 Jan 2015 12:12:39 GMT marees123 2015-01-06T12:12:39Z https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167680#M47742 <PRE><CODE>*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time </CODE></PRE> <P>this is the query im using.. everytime it gives different order.... please help me out....</P> Tue, 06 Jan 2015 11:15:10 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167680#M47742 marees123 2015-01-06T11:15:10Z https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167681#M47743 <P>Hi marees123,</P> <P>how about something like this:</P> <PRE><CODE>*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort +_time </CODE></PRE> <P>or</P> <PRE><CODE>*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | reverse </CODE></PRE> <P>or</P> <PRE><CODE>*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | chart values(AnInterface) AS AnInterface values(UpDown) AS UpDown over _time by host </CODE></PRE> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 06 Jan 2015 11:49:16 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167681#M47743 MuS 2015-01-06T11:49:16Z https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167682#M47744 <P>its working perfect... thanks a ton.......</P> Tue, 06 Jan 2015 12:12:39 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167682#M47744 marees123 2015-01-06T12:12:39Z https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167683#M47745 <P>you're welcome <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 06 Jan 2015 12:16:38 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167683#M47745 MuS 2015-01-06T12:16:38Z https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167684#M47746 <P>Hi Mus,</P> <P>I'm using the below query as you suggested,</P> <PRE><CODE> *swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown, _time | sort -_time | reverse </CODE></PRE> <P>Could any one please provide the script, so that splunk will send the below logs to netcool. </P> <PRE><CODE>data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38 data1swt0001 GigabitEthernet1/0/1 down 2015-01-24 23:48:38 data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08 data1swt0001 GigabitEthernet1/0/1 up 2015-01-24 23:52:08 </CODE></PRE> <P>Thanks....</P> Thu, 29 Jan 2015 07:00:09 GMT https://community.splunk.com/t5/Splunk-Search/how-to-get-a-search-results-in-ascending-order-time-wise-every/m-p/167684#M47746 marees123 2015-01-29T07:00:09Z