Solved: Why is the TAIL command listing the events in orde...

kdwsplunk · ‎02-27-2017

Hello,

I ran a search that had 15,000+ events. The table had the same amount of results. The results were listed in reverse chronological order for the most part.

I wanted to see the last 10 results. So I used the TAIL command. But the last 10 results were in chronological order. It was counter intuitive to me because I thought it would be similar to scrolling down to the bottom of the original list. I was expecting the last 10 results to be in reverse chronological order.

| eval myTime=_time
| eval myTime2=strftime(myTime,"%Y-%m-%d %H:%M:%S:%3Q")
| bucket SPAN=5m _time
| tail 
| table _time myTime myTime2

_time ----------------------------------- myTime ---------------- myTime2
2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000
2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000
2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000
2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000
2012-03-16T12:30:00.000+0000 1331901000.000000 2012-03-16 12:30:00:000
2012-03-16T12:30:00.000+0000 1331901000.010000 2012-03-16 12:30:00:010
2012-03-16T12:30:00.000+0000 1331901000.020000 2012-03-16 12:30:00:020
2012-03-16T12:30:00.000+0000 1331901000.020000 2012-03-16 12:30:00:020
2012-03-16T12:30:00.000+0000 1331901000.030000 2012-03-16 12:30:00:030
2012-03-16T12:30:00.000+0000 1331901000.040000 2012-03-16 12:30:00:040

I then ran the HEAD command to see if that would also change the order. But it did not. The HEAD command put the first 10 events in reverse chronological order as expected.

| eval myTime=_time
| eval myTime2=strftime(myTime,"%Y-%m-%d %H:%M:%S:%3Q")
| bucket SPAN=5m _time
| head 
| table _time myTime myTime2

_time ----------------------------------- myTime ---------------- myTime2
2012-03-16T13:25:00.000+0000 1331904442.350000 2012-03-16 13:27:22:350
2012-03-16T13:25:00.000+0000 1331904442.220000 2012-03-16 13:27:22:220
2012-03-16T13:25:00.000+0000 1331904442.100000 2012-03-16 13:27:22:100
2012-03-16T13:25:00.000+0000 1331904442.090000 2012-03-16 13:27:22:090
2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000
2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000
2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000
2012-03-16T13:25:00.000+0000 1331904442.000000 2012-03-16 13:27:22:000
2012-03-16T13:25:00.000+0000 1331904441.960000 2012-03-16 13:27:21:960
2012-03-16T13:25:00.000+0000 1331904441.950000 2012-03-16 13:27:21:950

Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time?

lguinn2 · ‎02-27-2017

Because that how the commands are written. The documentation for tail says " events are returned in reverse order, starting at the end of the result set..." The documentation for head says "Returns the first N number of specified results in search order"

If you want the results in a different order, follow the command with "| reverse"

View solution in original post

lguinn2 · ‎02-27-2017

Because that how the commands are written. The documentation for tail says " events are returned in reverse order, starting at the end of the result set..." The documentation for head says "Returns the first N number of specified results in search order"

If you want the results in a different order, follow the command with "| reverse"

kdwsplunk · ‎02-27-2017

Thank you very much for your help!

Why is the TAIL command listing the events in order of ascending time while the HEAD command lists the events in order of descending time?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk