When I do a sort, the records show up newest first. I will typically search for events on the duration of a week or a month. If I add "| sort time" or "| sort _time" , the records will show up oldest first. The count of events does not change but I am missing events from the first day or two.
For example, with the time picker selecting all of July
(host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03")
will return 89 records, including all 3 days.
However,
(host="myfirewall") AND ("2018-07-01" OR "2018-07-02" OR "2018-07-03") | SORT time
will return 89 records, oldest first, but does not include "2018-07-01"
Using
| SORT -time
will return 89 records, newest first, but does not include "2018-07-01"
... View more