Splunk Search

Why is time value being reversed?

manic3773
Engager

When I run the following search, the time is being show as the oldest first, but SysLog being shown as newest first

index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id] | stats values(_time) AS Time values(src) as Client_IP values(syslog_message) as SysLog by id | sort -Time

How can swap either Time or Syslog so they match.

0 Karma
1 Solution

woodcock
Esteemed Legend

Switch from values to list but beware that list tops out at 100 values:

index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id]
| stats list(_time) AS Time list(src) AS Client_IP list(syslog_message) AS SysLog BY id

View solution in original post

woodcock
Esteemed Legend

Switch from values to list but beware that list tops out at 100 values:

index=a host="1" [search index= a host="1" 166.87.245.164 id=* | fields id]
| stats list(_time) AS Time list(src) AS Client_IP list(syslog_message) AS SysLog BY id
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...