Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help sorting by time results in lost records

echelon101
New Member
‎09-06-2018 11:54 AM

When I do a sort, the records show up newest first. I will typically search for events on the duration of a week or a month. If I add "| sort time" or "| sort _time" , the records will show up oldest first. The count of events does not change but I am missing events from the first day or two.

For example, with the time picker selecting all of July 

            (host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03")

will return 89 records, including all 3 days.

However, 

          (host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03")  | SORT time

will return 89 records, oldest first, but does not include "2018-07-01"

Using
| SORT -time

will return 89 records, newest first, but does not include "2018-07-01"

Tags (1)
0 Karma
Reply

echelon101
New Member
‎09-07-2018 09:08 AM

Thanks for the advice. This is really helping me get an idea of what I can do with splunk reporting

It seams whatever I do causes problems when I want to sort oldest first. I also found the "|reverse| command which is a little simpler since I don't have to worry I am messing up the date format string. I find that all the regular and reverse queries appear to yield the same number of records, when I export to CSV, the report lengths are quite different.

Adding "NOT" to my queries seems to be the culprit . For example , the following query is missing event records when I try to sort oldest first. 

           (host=somehost AND "this_string"  NOT "that_string") | sort _time

But the following query is does show all records 

           (host=somehost AND "this_string"  OR "that_string") | sort _time
0 Karma
Reply

echelon101
New Member
‎09-06-2018 12:53 PM

I have tried the following

| sort _time
| sort -_time
| sort time
| sort -time

with the same results.

If I look at an event log fields in a recent event I see that
time = 2018-08-27 08:14:26
_time = 2018-08-27T08:08:11.000-04:00

The problem may be occurring in search queries that are relatively complex (e.g. where I search for firewall events and have a log "NOT (this OR that OR ...) " statement to filter out events that aren't of interest. I tried to make sure that the entire query prior to the " | sort .... " entry was in ().

0 Karma
Reply

horsefez
Motivator
‎09-06-2018 12:33 PM

Always do | sort _time and tell me if after that the events still get lost in the void.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...