Hi,
I am working on some Splunk searches that highly rely on the order the events are returned in, by the search command.
I searched a lot of docs to find some quote that says I can rely on this order, but it seems there is no such guarantee.
So for every search, I need to pre-sort the results by | sort 0 -_time to be confident about the order. This introduces a big performance-penalty because the searches operate on large datasets. Is there a statement about this, I missed somewhere? And what does your experience tell about relying on the order?
Best Regards!
EDIT: The root of this question is the use of the streamstats command as a hack to replace the non-existent by-clause for the delta operator. So it looks something like ... | streamstats current=f window=1 global=f first(_time) as prev_time by object_id , upon this I can calculate the time-delta for events of each distinct object. It does not matter if I do it forward or backward, I could build the query either way, but in both ways this is highly dependant on the order beeing correct. It does not matter if the order is stable in this case.
It seems that, based on DalJeanis's answer, especially in clustered deployments the default order can not be guaranteed. I would be very grateful if someone could provide a definitive answer.
... View more