Sorry for the silly attention-grabbing dancing question mark. 🙂

Thanks for any help on this. I've had to dive into the deep end of Splunk with no previous exposure for various staffing reasons, so please forgive my ignorance.

I'm trying to get my use of the sort 0 command (to override the 10k scheduler output limitation. I'm using the cloud version so no control on the conf files on the server or anything like that.

Where am I still missing a sort 0?!?

I've got this, but it's still truncating all rows after 10,000 rows.

Thing.process.valid.request OR herschel.update.job.completed

| transaction activity_id startswith="Thing.process.valid.request" endswith="herschel.update.job.completed"

| eval start_time=_time

| eval end_time=_time+duration

| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(start_time) AS ThingPackager_Start

| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(end_time) AS Sent_To_Thing

| eval delay_hours = round(duration/60/60, 2)

| rename activity_id AS tar_name

| eval media_assetID=substr(tar_name,1,12)

| sort 0 end_time

| stats first  as *, first(_*) as _* by media_assetID

| table Thing_Start Sent_To_Thing start_time end_time Thing_id tar_name media_assetID delay_hours | sort 0 by delay_hours desc

Thank you for any help, I'm going bonkers trying to get my head around this syntax.