I could not figure out how to markdown text in the comments, so I am posting my script as an answer.
Here is the python script
import time import string import splunk import splunk.auth import splunk.search searchQuery = r"search sourcetype=retrans daysago=1 WARNING | sort _time" splunk.mergeHostPath('splunkserv:8089', True) key = splunk.auth.getSessionKey('user','passwd') job = splunk.search.dispatch(searchQuery) while not job.isDone: time.sleep(1) for x in job.events: print x.fields job.cancel()
Try appending this to your search string:
| sort -_time +host
Which will sort in descending time order, then ascending host order
sourcetype="retrans" daysago="1" WARNING | sort _time
This query works from the web interface, but not from my python script.
Could you post your complete search string?
I also tried '| sort _time' and I get no results.
Thanks for the answer.
This query returns rows in descending order.
How do I sort in ascending order by time?
When I use +_time I get nothing.