Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ordering Events that arrive with the same timestamp but are out of order

x213217
Explorer
‎01-16-2019 12:21 PM

I have a few instances where I will get status events for when jobs are running very quickly and appear as the same timestamp in splunk. When this happens I will get a RUNNING status event after a SUCCESS event, which in fact should be reversed. I am doing processing to get the latest status for certain jobs and this causes a problem with that.

Here is an example below, as you see the two events have an identical timestamp but have been pulled in in reverse order. How do i properly get the latest event when the timestamp is shared like this?

alt text

Tags (1)
Preview file
41 KB
0 Karma
Reply

sdchakraborty
Contributor
‎01-17-2019 10:35 AM

what about sorting by index time? This is how you get index time even though your _time is same but indextime will not be same.

| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| sort - indextime

Reply

dottey
New Member
‎09-04-2019 10:50 AM

This did work for me. I wonder if it would "break" if we ever have to backfill data, though.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-16-2019 12:56 PM

Looks like you need to add ms to your logging for better granularity and correct ordering. Your jobs are running and completing in under a second. Nothing Splunk can do to fix this

0 Karma
Reply

Vijeta
Influencer
‎01-16-2019 12:25 PM

You can |sort - _time statusCode

0 Karma
Reply

x213217
Explorer
‎01-16-2019 12:32 PM

Unfortunately cannot use that field to sort as for events for Starting Running & Success statuses...these have statusCodes of 3, 1, 4 respectively so the order does not match an increasing pattern

0 Karma
Reply

Vijeta
Influencer
‎01-16-2019 12:37 PM

you can assign your own values, using eval and if and sort based on new field.

eval status=if(statusCode=1,P2,if(statusCode=3,P1, if(statusCode=4,P4)))
0 Karma
Reply
Get Updates on the Splunk Community!

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...