Solved: Automatically _time sort want disable?

nitesh218ss · ‎05-04-2015

Hi i have a problem with automatically time sort i want disable _time sort because in my log they have some event which show previous event time they give previous time to give details. but splunk take this time and sort automatically
Because of automatic sorting they change the place of some event so i want completely disable Automatically time sort.

1) I try fields - _time , Not work they not show _time field but sorting happen
2) i try

[other]
disabled = true

in file C:Program Files/Splunk/etc/system/default/times.conf
they also not work

4) i try
| sort _indextime

5) i try
| sort - _indextime

6) i try
| sort + _indextime

7) i try sort 0 - _indextime

Nothing is work if i use _indextime then they give reault 1000 only and other so blank.

Please give me answer

nitesh218ss · ‎05-04-2015

Hi

 we able to disable automatically at a time of indexing 
 when i select file after when you Set Sourcetype

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

View solution in original post

nitesh218ss · ‎05-04-2015

Hi

 we able to disable automatically at a time of indexing 
 when i select file after when you Set Sourcetype

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

Automatically _time sort want disable?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation