In a view like the flashtimeline, there is a selector to choose between the results of the search and the log events from which those results are drawn. If the search includes a term like " ... |stats count(foo) by _time, host"
, then Splunk handily sorts the results in chronological order. However, if I click over to the events view, these are presented in archaeological order (new stuff on top).
Is there a way that I can get both data views (I'm OK with cloning flashtimeline and creating my own advanced XML to do this...) sorted in the same order?
Not sure whether this works for you, but if you pipe to reverse
before the stats
, then the job's events will have a reverse sort order, independent of any sorting on the job's final transformed 'results'
<your search> | reverse | stats count(foo) by _time, host
That does make the events in the flashtimeline view appear sorted in ascending time order, and it doesnt affect the stats output
Not sure whether this works for you, but if you pipe to reverse
before the stats
, then the job's events will have a reverse sort order, independent of any sorting on the job's final transformed 'results'
<your search> | reverse | stats count(foo) by _time, host
That does make the events in the flashtimeline view appear sorted in ascending time order, and it doesnt affect the stats output
I've been able to confirm your statement that issuing the search directly does not produce an error.
I'll also note that in the mean time, we've worked around this issue with a " | sort - _time" command instead.
I think this is an intention bug, one that has been fixed at some point since and thats why i cant reproduce it on my (unreleased) build. If this is the case, this bug will dissappear when you go to the search UI directly, and then type in the search yourself. can you try that?
Running 4.1.2, build 79191.
Strange. No Im not sure what that means, and I cant reproduce that message (I tried searches with 0 events, with N<10000 events and N>10000 events). According to the docs the reverse command doesnt take any arguments at all. What version are you running? Im on a source build a bit newer than 4.1.2 but there shouldnt be any difference wrt reverse.
When I attempt that, I get an error message in the message bar:
Error in 'reverse' command: Invalid argument: 'None'
Is it possible that there is something in my search results which is confusing reverse?