I have a created table using query
source="logfile1.log" OR source="logfile2.log" OR source="3logfile3.zip:*" Cycle={C3*}
|transaction CommonField
|table S.No Cycle FilterCriteria A1_Time K_Time A2_Time D_Time|eval S.No=1 | accum S.No
I want to arrange the table values according to time present in a log file for each event.
@rajeswarir can you add sample of events from your log which contain timestamp? Does _time for each event at search time does not correspond to timestamp field in your log? What is CommonField? Can you add details on how many events it will correlate? FYI - the _time for multiple correlated events through is usually the _time of the earliest event.
Please add sample data, current output and expected output for us to assist you better. You should mask/anonymize any sensitive information before posting here on Splunk Answers.
Use sort
command that sorts all of the results by the specified fields.
...|transaction CommonField|sort 0 - _time|table ...
I tried but this is not working out. Do u have any other way. Since i am extracting data from 3 different log files.
I am taking CommonField and getting A1_Time from logfile1.log, K_Time from logfile2.log and A2_Time D_Time from logfile3.log. So the time also differs in all log files. How to arrange based on time from 2 log fiels since in logfile1.log time is not present for events and in logfile2.log & logfile3.log time is present.
time format example in log file:10:06:46.252
you need to configure timestamp i.e. _time using time field present in log files and set it in props.conf-
use
TIME_PREFIX = <REGEX to extract timestamp field from log file>
TIME_FORMAT = <Use the TIME_FORMAT>
For reference have a look at-
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configuretimestamprecognition
So this will store your particular log field as _time and then you can sort it using _time
Hi @rajeswarir,
If this answers your question then accept the answer to close this question