Splunk Search

How to arrange table values according to the time present in a log file?

New Member

I have a created table using query

source="logfile1.log" OR source="logfile2.log" OR source="3logfile3.zip:*" Cycle={C3*}
|transaction CommonField
|table S.No Cycle FilterCriteria A1_Time K_Time A2_Time D_Time|eval S.No=1 | accum S.No

I want to arrange the table values according to time present in a log file for each event.

0 Karma


@rajeswarir can you add sample of events from your log which contain timestamp? Does _time for each event at search time does not correspond to timestamp field in your log? What is CommonField? Can you add details on how many events it will correlate? FYI - the _time for multiple correlated events through is usually the _time of the earliest event.

Please add sample data, current output and expected output for us to assist you better. You should mask/anonymize any sensitive information before posting here on Splunk Answers.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Super Champion

Use sort command that sorts all of the results by the specified fields.

...|transaction CommonField|sort 0 - _time|table ...
0 Karma

New Member

I tried but this is not working out. Do u have any other way. Since i am extracting data from 3 different log files.
I am taking CommonField and getting A1_Time from logfile1.log, K_Time from logfile2.log and A2_Time D_Time from logfile3.log. So the time also differs in all log files. How to arrange based on time from 2 log fiels since in logfile1.log time is not present for events and in logfile2.log & logfile3.log time is present.
time format example in log file:10:06:46.252

0 Karma

Super Champion

you need to configure timestamp i.e. _time using time field present in log files and set it in props.conf-

TIME_PREFIX = <REGEX to extract timestamp field from log file>

For reference have a look at-

So this will store your particular log field as _time and then you can sort it using _time

0 Karma

Super Champion

Hi @rajeswarir,
If this answers your question then accept the answer to close this question

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!