https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261264#M78402 <P>Check out the sort documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort</A></P> <P>Give this a shot instead. This is the correct syntax:</P> <PRE><CODE>sort 0 -_time </CODE></PRE> Tue, 30 Aug 2016 13:18:30 GMT jpolcari 2016-08-30T13:18:30Z https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261263#M78401 <P>Hello,<BR /> I have a search rule that is perfectly working:<BR /> .... | <BR /> sort - 0 _time | <BR /> fields - _* | <BR /> fields data1 data 2 data3</P> <P>I have created a dashboard and integrated the rule. <BR /> The result of the rule is wrong and I discovered that the string search had been modified:</P> <P><STRONG>"sort - 0 _time" =&gt; "sort-0 _time"</STRONG> and this command does not work; it does not sort <EM>time in the correct order<BR /> "fields - _*" gets " fields-</EM>*" which is not doing the same thing; it does not remove the fields beginning by _</P> <P>I have done many tests and this is reproductible 100%. <BR /> Each time the generation of the dashboard xml code corrupt my search string and I can not create a working dashboard.</P> <P>Any ideas are welcome</P> <P>Regards</P> Tue, 30 Aug 2016 13:13:30 GMT https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261263#M78401 clorne 2016-08-30T13:13:30Z https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261264#M78402 <P>Check out the sort documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort">http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sort</A></P> <P>Give this a shot instead. This is the correct syntax:</P> <PRE><CODE>sort 0 -_time </CODE></PRE> Tue, 30 Aug 2016 13:18:30 GMT https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261264#M78402 jpolcari 2016-08-30T13:18:30Z https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261265#M78403 <P>I think you are running into a syntax issue. FIELDS and SORT use the '-' differently. For sort, there is no space between the minus and the field you want to sort in descending order:</P> <PRE><CODE>sort 0 -_time </CODE></PRE> <P>I'm not sure if you have a typo on your FIELDS command above, but I think what you were shooting for was:</P> <PRE><CODE>fields - _* </CODE></PRE> <P>If your intended result was to end up with only the three fields at the end, you should be able to do this:</P> <PRE><CODE>.... | sort 0 -_time | table data1 data2 data3 </CODE></PRE> Tue, 30 Aug 2016 13:28:13 GMT https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261265#M78403 justinatpnnl 2016-08-30T13:28:13Z https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261266#M78404 <P>Thanks a lot</P> Tue, 30 Aug 2016 15:14:11 GMT https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261266#M78404 clorne 2016-08-30T15:14:11Z https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261267#M78405 <P>Thansk a lot</P> Tue, 30 Aug 2016 15:14:23 GMT https://community.splunk.com/t5/Splunk-Search/My-dashboard-modifies-the-search-command-quot-sor-quot-t-and/m-p/261267#M78405 clorne 2016-08-30T15:14:23Z