topic Re: Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330248#M98308 <P>Because that how the commands are written. The documentation for <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Tail">tail</A> says " events are returned in reverse order, starting at the end of the result set..." The documentation for <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Head">head</A> says "Returns the first N number of specified results in search order"</P> <P>If you want the results in a different order, follow the command with "| reverse"</P> Tue, 28 Feb 2017 00:11:50 GMT lguinn2 2017-02-28T00:11:50Z Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time? https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330247#M98307 <P>Hello,</P> <P>I ran a search that had 15,000+ events. The table had the same amount of results. The results were listed in reverse chronological order for the most part.</P> <P>I wanted to see the last 10 results. So I used the TAIL command. But the last 10 results were in chronological order. It was counter intuitive to me because I thought it would be similar to scrolling down to the bottom of the original list. I was expecting the last 10 results to be in reverse chronological order.</P> <PRE><CODE>| eval myTime=_time | eval myTime2=strftime(myTime,"%Y-%m-%d %H:%M:%S:%3Q") | bucket SPAN=5m _time | tail | table _time myTime myTime2 </CODE></PRE> <P>_time ----------------------------------- myTime ---------------- myTime2<BR /> 2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000<BR /> 2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000<BR /> 2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000<BR /> 2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000<BR /> 2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000<BR /> 2012-03-16T12:30:00.000+0000 1331901000.010000 2012-03-16 12:30:00:010<BR /> 2012-03-16T12:30:00.000+0000 1331901000.020000 2012-03-16 12:30:00:020<BR /> 2012-03-16T12:30:00.000+0000 1331901000.020000 2012-03-16 12:30:00:020<BR /> 2012-03-16T12:30:00.000+0000 1331901000.030000 2012-03-16 12:30:00:030<BR /> 2012-03-16T12:30:00.000+0000 1331901000.040000 2012-03-16 12:30:00:040</P> <P>I then ran the HEAD command to see if that would also change the order. But it did not. The HEAD command put the first 10 events in reverse chronological order as expected.</P> <PRE><CODE>| eval myTime=_time | eval myTime2=strftime(myTime,"%Y-%m-%d %H:%M:%S:%3Q") | bucket SPAN=5m _time | head | table _time myTime myTime2 </CODE></PRE> <P>_time ----------------------------------- myTime ---------------- myTime2<BR /> 2012-03-16T13:25:00.000+0000 1331904442.350000 2012-03-16 13:27:22:350<BR /> 2012-03-16T13:25:00.000+0000 1331904442.220000 2012-03-16 13:27:22:220<BR /> 2012-03-16T13:25:00.000+0000 1331904442.100000 2012-03-16 13:27:22:100<BR /> 2012-03-16T13:25:00.000+0000 1331904442.090000 2012-03-16 13:27:22:090<BR /> 2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000<BR /> 2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000<BR /> 2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000<BR /> 2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000<BR /> 2012-03-16T13:25:00.000+0000 1331904441.960000 2012-03-16 13:27:21:960<BR /> 2012-03-16T13:25:00.000+0000 1331904441.950000 2012-03-16 13:27:21:950</P> <P>Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time?</P> Mon, 27 Feb 2017 22:30:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330247#M98307 kdwsplunk 2017-02-27T22:30:18Z Re: Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time? https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330248#M98308 <P>Because that how the commands are written. The documentation for <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Tail">tail</A> says " events are returned in reverse order, starting at the end of the result set..." The documentation for <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Head">head</A> says "Returns the first N number of specified results in search order"</P> <P>If you want the results in a different order, follow the command with "| reverse"</P> Tue, 28 Feb 2017 00:11:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330248#M98308 lguinn2 2017-02-28T00:11:50Z Re: Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time? https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330249#M98309 <P>Thank you very much for your help!</P> Tue, 28 Feb 2017 00:23:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-TAIL-command-listing-the-events-in-order-of-ascending/m-p/330249#M98309 kdwsplunk 2017-02-28T00:23:51Z