topic Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file? in Splunk Search

Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Mon, 28 Sep 2020 19:47:51 GMT

i have log file which sum event show previously time event of when transatin start to end after every transation complet.

So splunk automatically sort log event total base on _time in that some event which show time of 1,2 second back they also automaticaly sorted so i want disable Automatic sort
I want the event show normally sequence which present in log
How i disable date time ?

MY log samlpe:

13:06:30.706|0000536|2|32| |O|Received response from OG
13:06:30.706|1303635|2|32| |O|IsVoid set to [0], VoidSource is [0]
13:06:30.706|1303635|2|32| |O|Creating new reply object to send response
13:06:30.721|0000536|2|32| |O|1|13:06:29.331|1010051221690010175F2F61179807901**********************************50000415031813062282682610(EMV_DATA)104800601320000020000E0B8C803030000000500082641740400000000350001FDD29099
TT: 62 (ms) 13:06:29.378|1221690010175F2F61079807901**********************************500015031813062282682610(EMV_DATA)104800601320000020000E0B8C8
13:06:30.706|122169001017512000AUTH CODE:13974401503(EMV_DATA)00080000100112345678901234512341002GP15077000000AB1
13:06:30.721|12216900101751300213974400AUTH CODE:1397440F8140EEF84CFDB03303000080000100112345678901234512341002GP15077000000AB166B90A0B0001303635431621328
13:06:30.721|0000536|2|32| |O|getLogMsg returned: [229^101005^17^ihost-uatlive^1^2^5^S^12^11^13^0175^231^0^15^D^18^22169001^21^150318^22^130600^24^TtWlS34ZjBo=^25^0^26^00000005000^199^00000005000^29^XTKueLHMJ9pDGvfSQn0xXI6sjf7niXAV^252^0119^181^1^274^1^275^0^45^43^71^00^80^79807901^82^20150318^83^130629^84^ASH001303635^23^139744^30^92^70^476173900^126^1^147^0^148^4^149^0^160^0^16^0^195^2^176^826^40^826^177^^178^22^179^10^188^^180^0^112^19T9oislVJ5BK0JAImpkLAabsxoTy33RPIQ1ZlzXeIqH1jFaPSra1N5vWtTzlP60ImUeKraJJRx+RfdiM19E1ISp1SIjKOtuDuSaTPQNny4dfm+pQZAm9x+mQV2tR3sdyHGbKXMP+WoRXMoXIHMRwyAzdUq8II/YNRm3uXrftmoyo=^112^21104800601320000020000E0B8C8030300000005000826417404000000000000003501^19^3^137^F2F6^151^0^150^0^146^000800^112^20F8140EEF84CFDB033030^112^2200100112345678901234512341002GP15077000000AB1^95^AUTH CODE:139744^196^1^119^5000^94^826^224^1^223^1^254^000000^134^1.7404^33^000000^253^5C413DD4331BA4E6436E2E96FDA471D3^107^^32^0000^]
13:06:30.721|0000536|1|66| |O|Receive return code indicates 358 bytes received
13:06:30.721|0000536|1|66| |O|Detached from socket [127.0.0.1:2050] having received [358] bytes
13:06:30.721|0000536|1|66| |O|Received 356 byte response from Handler
13:06:30.721|0000536|1|66| |O|Closing send socket [127.0.0.1:2050]

if you see first 4 line is normal after that again 3 event of old time after that last 4 line is normal

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

satishsdange — Thu, 30 Apr 2015 10:15:18 GMT

Whats the objective of removing timestamp? If you don't need that in report, just use xxx | fields - _time

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Thu, 30 Apr 2015 10:26:23 GMT

i use fields - _time this but they remove field _time but automatic sort base on time not disable result come in time sort order after that also

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

vganjare — Thu, 30 Apr 2015 10:40:49 GMT

Hi,

Does sorting on _indextime can help you?

Thanks!!

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Thu, 30 Apr 2015 11:11:11 GMT

No they also not work i want Auto time sorting desable but i not able to found how i do?

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

woodcock — Mon, 28 Sep 2020 19:48:04 GMT

If I am understanding you correctly, you would like to be able to use Splunk to show a reconstituted view of the original file. If so, this should work:



| sort 0 - _indextime | stats list(_raw) by source

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Mon, 04 May 2015 07:37:08 GMT

now i able to see raw data but i not able to do any operation like show fields in table, they also sorted order and only top 1000 field they show after that remaining blank.
i want disable automatically time sort after that i do my won operation on that
if you want log file then mail me nitesh.hadoop@gmail.com
i use

[other]
disabled = true

in file C:\Program Files\Splunk\etc\system\default\times.conf
but they also not work

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

woodcock — Mon, 28 Sep 2020 19:49:27 GMT

This is probably the DUMBEST thing I have ever told anybody to do but here goes. You cannot "disable sort" the way you desire because sorting by _time is at the core of what Splunk fundamentally does. The only way I can see to do what you are asking is to force all events to have the same identical (bogus) time. You can do this with this datetime.xml file:
<datetime>

</datetime>
This should cause all events to go into the tsidx in the order that they are processed, because each has the same timestamp. It would probably be best if you somehow managed to set the date to a date that moves, rather than hard-coding it (maybe get it from the filename) so that your events appear near-now without having to update your hard-coded day/month values in the datetime.xml.

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Tue, 05 May 2015 06:32:30 GMT

we able to disable automatically at a time of indexing 
when i select file after when you Set Sourcetype

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Mon, 28 Sep 2020 19:44:32 GMT

But at time of indexing i use LINE_BREAKER they work correctly but when i add
FIELD_DELIMITER = |
FIELD_NAMES = timee,audit,serviceType,processId,serviceName,indicator,status1,status2,status3,status4,status5,status6
the line break not work

Re: Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss — Mon, 28 Sep 2020 19:44:34 GMT

i give a solution of this problem please see answer 3