Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"sort _time" is losing days/events for timechart

HeinzWaescher
Motivator
‎10-30-2013 10:11 AM

Hi,

i would like to sort the events by _time and create a timechart.

  1. | timechart span=1d dc(user)
    Here the displayed timechart is from 2012-06-02 to 2013-10-08

  2. | sort _time | timechart span=1d dc(user)
    Here the displayed timechart is from 2012-06-02 to 2013-08-02. So Splunk is losing events during the sorting process.

edit: I just checked a simple stat with, and without "sort _time" command. The result of this test was a very big difference of the count.

Thanks for help 🙂

Best

Heinz

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎10-30-2013 12:44 PM

The sort command by default will limit you to 10000 results. To sort and return all results you need to run the command like this

| sort 0 _time

You can read more about it here
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Sort

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎10-30-2013 12:44 PM

The sort command by default will limit you to 10000 results. To sort and return all results you need to run the command like this

| sort 0 _time

You can read more about it here
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Sort

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-31-2013 01:30 AM

Hi cramasta,

thanks a lot. This was the reason, all events are sortet now 🙂
Do you know if there is a difference between | sort _time and |reverse? The result seems to be the same?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-30-2013 12:33 PM

Not sure why you would want to sort by _time ascending - Splunk is already returning its results in reverse chronological time (so equivalent to sort - _time) and this is what timechart wants. Just leave out your sort command and you should be fine.

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-31-2013 01:25 AM

Hi Ayn,

thanks for your post. What i wanted to achieve is, to sort the splunk events ascending. Because i'm using a last() command in my final search, which should always write the previous fieldvalue per user in each event.

I justrecognized the missing events, because because of the shorter timechart. That's why i mentioned it first. So it was a bad explanation from my side.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...