Dashboards & Visualizations

how to fix error "The external search command 'xmlkv' did not return events in descending time order, as expected"?

rarangarajanspl
Explorer

I am getting error as ** "The external search command 'xmlkv' did not return events in descending time order, as expected"** along with my search results.

Dashboard functionality works as expected and search results are getting displayed. Please find the code snippet for one panel for reference and suggest. There are 6 panels altogether with different queries.

<form script="SBT.js" refresh="320">
      <label>SBT </label>
    <search id="baseSearch">
        <query>
             source="log.2020-05-08"
          | rex field=_raw "((?<LogType>(\w*))\s(?<MsgCode>(\d+))\s((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))\s(?<TimeStamp>(\d{8}\s\d{6}))\s(?<TextMsg>([\w\s.:,/()]*)))"
         | rex field=number "(?<Number>([\d]*))/\d"
         | xmlkv maxinputs=10000
         | rename "SBT-type" as Mtracktype "SBT-exception-code" as MTrackECode
         | eval LogTimeStamp=strftime(strptime(TimeStamp,"%Y%m%d%H%M%S"),"%m/%d/%Y %H:%M:%S %p")
         | sort -LogTimeStamp      
             </query>
      </search>

    <fieldset submitButton="true" autoRun="false">

    <input type="text" token="SBTNo" depends="$tknNoPanel$" searchWhenChanged="false">
          <label>SBT Number</label>
          <default></default>
          <change>
            <condition value="">
              <set token="SBTNo">*</set>
            </condition>
          </change>
        </input>
    </fieldset>
      <row>
        <panel depends="$tknNoPanel$">

      <title> Results </title>

          <html depends="$export_button$">
           <a class="btn btn-primary" role="button" href="/api/search/jobs/$export_sid$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=input_CSVExport&amp;outputMode=csv">Export</a>        

            </html>
          <table id="table1">
            <search base="baseSearch">
              <query>
    search (SBTnumber=$SBTNo$ OR Number=$SBTNo$ OR type=$SBTNo$ OR AWB=$SBTNo$)

    |  table LogType LogTimeStamp  Msg SBTtype  SBTnumber

    </query>
              <done>
                <set token="export_sid">$job.sid$</set>
                <set token="export_button">1</set>
              </done>
            </search>
            <option name="count">100</option>
            <option name="dataOverlayMode">none</option>
            <option name="drilldown">none</option>
            <option name="percentagesRow">false</option>
            <option name="rowNumbers">false</option>
            <option name="totalsRow">false</option>
            <option name="wrap">true</option>
          </table>
        </panel>
                    </row>
                    </form>
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...