Hello all,
I would like to use the table command without changing the order of events.
To give an example: When searching for "index=_* earliest=-15m latest=now", the first displayed event has the current time and the last displayed event is 15 minutes in the past. Now when searching for "index=_* earliest=-15m latest=now | table _time,host,index" the events are resorted. _time is no longer descending (or ascending).
I tried "index=_* earliest=-15m latest=now | table _time,host,index | sort 0 -_time". But that does not work 100% because some events have the same timestamp.
So my question is: Can I use the table command (or some other command to form a table based on a given set of columns) without changing the sort oder?
I noticed that the sort order is kept when using streamstats. This "feature" is undocumented though.
index=_* earliest=-15m latest=now | streamstats count | table _time,host,index
I noticed that the sort order is kept when using streamstats. This "feature" is undocumented though.
index=_* earliest=-15m latest=now | streamstats count | table _time,host,index
I created a new request on Splunk Ideas for this issue:
https://ideas.splunk.com/ideas/EID-I-958
If anyone else feels bothered by this, please upvote the idea.
Have you tried fields command
index=_* earliest=-15m latest=now | fields _time,host,index
I tried, but I want the events to be displayed in tabular format.
Displayed in a dashboard? Use the table visualisation panel.
Interestingly enough, the sort order is preserved when doing a dashboard table visualisation with the fields command. However, this approach has two drawbacks:
1) I have to use a seconds fields command to remove the _raw field: | fields - _raw
2) A drilldown (clicking on the magnifying glass below the panel) will not show a table
Yes, a second fields command is required to remove fields. The magnifying glass is not a drilldown, it opens the query in search (and then you are back to square one).