I have a few instances where I will get status events for when jobs are running very quickly and appear as the same timestamp in splunk. When this happens I will get a RUNNING status event after a SUCCESS event, which in fact should be reversed. I am doing processing to get the latest status for certain jobs and this causes a problem with that.
Here is an example below, as you see the two events have an identical timestamp but have been pulled in in reverse order. How do i properly get the latest event when the timestamp is shared like this?
what about sorting by index time? This is how you get index time even though your _time is same but indextime will not be same.
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| sort - indextime
Unfortunately cannot use that field to sort as for events for Starting Running & Success statuses...these have statusCodes of 3, 1, 4 respectively so the order does not match an increasing pattern