When I run the following search, the time is being show as the oldest first, but SysLog being shown as newest first
index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id] | stats values(_time) AS Time values(src) as Client_IP values(syslog_message) as SysLog by id | sort -Time
How can swap either Time or Syslog so they match.
Switch from values
to list
but beware that list
tops out at 100 values:
index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id]
| stats list(_time) AS Time list(src) AS Client_IP list(syslog_message) AS SysLog BY id
Switch from values
to list
but beware that list
tops out at 100 values:
index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id]
| stats list(_time) AS Time list(src) AS Client_IP list(syslog_message) AS SysLog BY id