Can the search sort events order so that you alway...

romedome · ‎03-28-2018

In my years of Splunking I recall that you could not rely on events arriving in synchronous order 100% of the time. Rather, you will get them as the Search Head receives them based on how fast or slow the indexers are. This, in turn, means that you can't rely on first() or last() on giving you the earliest or latest value of a field. You'll only see this happen once in a blue moon, but it can happen. The problem is I can't find the original documentation that stated this issue.
My friend, on the other hand, says that the search head sorts events so that you always get them in reverse chronological order because he's never seen the opposite happen.

Who's right?

kmaron · ‎03-28-2018

according to Splunk Docs here: http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchTutorial/Startsearching

By default, the events appear as a list that is ordered starting with the most recent event.

romedome · ‎03-28-2018

Right, but are there scenarios that cause the default ordering to break?

kmaron · ‎03-28-2018

This is old so it may not apply anymore but you might find it pertains

https://answers.splunk.com/answers/246691/search-head-not-consistently-ordering-results-from.html

romedome · ‎03-28-2018

Yes, his question pertains to mine. Wish I could find something official.
Thanks!

Can the search sort events order so that you always get them in reverse chronological order?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?