Splunk Search

How to arrange table values according to the time present in a log file?

New Member

I have a created table using query

source="logfile1.log" OR source="logfile2.log" OR source="3logfile3.zip:*" Cycle={C3*}
|transaction CommonField
|table S.No Cycle FilterCriteria A1_Time K_Time A2_Time D_Time|eval S.No=1 | accum S.No

I want to arrange the table values according to time present in a log file for each event.

0 Karma

Legend

@rajeswarir can you add sample of events from your log which contain timestamp? Does _time for each event at search time does not correspond to timestamp field in your log? What is CommonField? Can you add details on how many events it will correlate? FYI - the _time for multiple correlated events through is usually the _time of the earliest event.

Please add sample data, current output and expected output for us to assist you better. You should mask/anonymize any sensitive information before posting here on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Super Champion

Use sort command that sorts all of the results by the specified fields.

...|transaction CommonField|sort 0 - _time|table ...
0 Karma

New Member

I tried but this is not working out. Do u have any other way. Since i am extracting data from 3 different log files.
I am taking CommonField and getting A1_Time from logfile1.log, K_Time from logfile2.log and A2_Time D_Time from logfile3.log. So the time also differs in all log files. How to arrange based on time from 2 log fiels since in logfile1.log time is not present for events and in logfile2.log & logfile3.log time is present.
time format example in log file:10:06:46.252

0 Karma

Super Champion

you need to configure timestamp i.e. _time using time field present in log files and set it in props.conf-
use

TIME_PREFIX = <REGEX to extract timestamp field from log file>
TIME_FORMAT = <Use the TIME_FORMAT>

For reference have a look at-
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configuretimestamprecognition

So this will store your particular log field as _time and then you can sort it using _time

0 Karma

Super Champion

Hi @rajeswarir,
If this answers your question then accept the answer to close this question

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!