Dashboards & Visualizations

How to have a results table always display newest events first, even with real-time searches?

Ayn
Legend

I've built a search form using basic XML, which displays results in a few different ways, among others a results table. I would like to be able to use this form as a real-time dashboard, which works just fine except for that the events in the results table will be displayed as oldest first. Using reverse fixes that in the real-time case, however that has the undesired effect on non-real-time searches that events are displayed in oldest-to-newest order instead. I also understand using reverse has a considerable impact on performance. Is there a way to have the results table always show newest events first, either using simple or advanced XML?

0 Karma
1 Solution

ziegfried
Influencer

This will sort the events/results in descending order of their time:

... | sort -_time

where as this one would sort them in descending order of the time they have been indexed:

... | sort -_indextime

View solution in original post

Ayn
Legend

The search itself is very simple. It uses a searchTemplate with the search 'sourcetype="squid" clientip="$clientip$" uri_host="$uri_host$"' and a searchPostProcess 'sort -_time'. The post processing made it work the way I wanted.

0 Karma

sideview
SplunkTrust
SplunkTrust

can you post the search you're using? I believe the SimpleResultsTable has code that attempts to show newest first even in real time search cases, and I suspect that somehow this default behavior is being subtly defeated.

0 Karma

ziegfried
Influencer

This will sort the events/results in descending order of their time:

... | sort -_time

where as this one would sort them in descending order of the time they have been indexed:

... | sort -_indextime
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...