Solved: Re: Automatically _time sort want disable?

nitesh218ss · ‎05-04-2015

Hi i have a problem with automatically time sort i want disable _time sort because in my log they have some event which show previous event time they give previous time to give details. but splunk take this time and sort automatically
Because of automatic sorting they change the place of some event so i want completely disable Automatically time sort.

1) I try fields - _time , Not work they not show _time field but sorting happen
2) i try

[other]
disabled = true

in file C:Program Files/Splunk/etc/system/default/times.conf
they also not work

4) i try
| sort _indextime

5) i try
| sort - _indextime

6) i try
| sort + _indextime

7) i try sort 0 - _indextime

Nothing is work if i use _indextime then they give reault 1000 only and other so blank.

Please give me answer

nitesh218ss · ‎05-04-2015

Hi

 we able to disable automatically at a time of indexing 
 when i select file after when you Set Sourcetype

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

View solution in original post

nitesh218ss · ‎05-04-2015

Hi

 we able to disable automatically at a time of indexing 
 when i select file after when you Set Sourcetype

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

Automatically _time sort want disable?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Automatically _time sort want disable?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers