Splunk Search

table command without changing sort order

whrg
Motivator

Hello all,

I would like to use the table command without changing the order of events.

To give an example: When searching for "index=_* earliest=-15m latest=now", the first displayed event has the current time and the last displayed event is 15 minutes in the past. Now when searching for "index=_* earliest=-15m latest=now | table _time,host,index" the events are resorted. _time is no longer descending (or ascending).

I tried "index=_* earliest=-15m latest=now | table _time,host,index | sort 0 -_time". But that does not work 100% because some events have the same timestamp.

So my question is: Can I use the table command (or some other command to form a table based on a given set of columns) without changing the sort oder?

Labels (1)
0 Karma
1 Solution

whrg
Motivator

I noticed that the sort order is kept when using streamstats. This "feature" is undocumented though.

 

 

index=_* earliest=-15m latest=now | streamstats count | table _time,host,index

 

 

View solution in original post

0 Karma

whrg
Motivator

I noticed that the sort order is kept when using streamstats. This "feature" is undocumented though.

 

 

index=_* earliest=-15m latest=now | streamstats count | table _time,host,index

 

 

0 Karma

whrg
Motivator

I created a new request on Splunk Ideas for this issue:

https://ideas.splunk.com/ideas/EID-I-958

If anyone else feels bothered by this, please upvote the idea.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried fields command

index=_* earliest=-15m latest=now | fields _time,host,index
0 Karma

whrg
Motivator

I tried, but I want the events to be displayed in tabular format.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Displayed in a dashboard? Use the table visualisation panel.

0 Karma

whrg
Motivator

Interestingly enough, the sort order is preserved when doing a dashboard table visualisation with the fields command. However, this approach has two drawbacks:

1) I have to use a seconds fields command to remove the _raw field: | fields - _raw

2) A drilldown (clicking on the magnifying glass below the panel) will not show a table

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Yes, a second fields command is required to remove fields. The magnifying glass is not a drilldown, it opens the query in search (and then you are back to square one).

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...