Splunk Search

Splunk automaticaly sort event base on date time i want disable this feature for particular log file?

nitesh218ss
Communicator

i have log file which sum event show previously time event of when transatin start to end after every transation complet.

So splunk automatically sort log event total base on _time in that some event which show time of 1,2 second back they also automaticaly sorted so i want disable Automatic sort
I want the event show normally sequence which present in log
How i disable date time ?

MY log samlpe:

13:06:30.706|0000536|2|32| |O|Received response from OG
13:06:30.706|1303635|2|32| |O|IsVoid set to [0], VoidSource is [0]
13:06:30.706|1303635|2|32| |O|Creating new reply object to send response
13:06:30.721|0000536|2|32| |O|1|13:06:29.331|1010051221690010175F2F61179807901**********************************50000415031813062282682610(EMV_DATA)104800601320000020000E0B8C803030000000500082641740400000000350001FDD29099
TT: 62 (ms) 13:06:29.378|1221690010175F2F61079807901
**********************************500015031813062282682610(EMV_DATA)104800601320000020000E0B8C8
13:06:30.706|122169001017512000AUTH CODE:13974401503(EMV_DATA)00080000100112345678901234512341002GP15077000000AB1
13:06:30.721|12216900101751300213974400AUTH CODE:1397440F8140EEF84CFDB03303000080000100112345678901234512341002GP15077000000AB166B90A0B0001303635431621328
13:06:30.721|0000536|2|32| |O|getLogMsg returned: [229^101005^17^ihost-uatlive^1^2^5^S^12^11^13^0175^231^0^15^D^18^22169001^21^150318^22^130600^24^TtWlS34ZjBo=^25^0^26^00000005000^199^00000005000^29^XTKueLHMJ9pDGvfSQn0xXI6sjf7niXAV^252^0119^181^1^274^1^275^0^45^43^71^00^80^79807901^82^20150318^83^130629^84^ASH001303635^23^139744^30^92^70^476173900^126^1^147^0^148^4^149^0^160^0^16^0^195^2^176^826^40^826^177^^178^22^179^10^188^^180^0^112^19T9oislVJ5BK0JAImpkLAabsxoTy33RPIQ1ZlzXeIqH1jFaPSra1N5vWtTzlP60ImUeKraJJRx+RfdiM19E1ISp1SIjKOtuDuSaTPQNny4dfm+pQZAm9x+mQV2tR3sdyHGbKXMP+WoRXMoXIHMRwyAzdUq8II/YNRm3uXrftmoyo=^112^21104800601320000020000E0B8C8030300000005000826417404000000000000003501^19^3^137^F2F6^151^0^150^0^146^000800^112^20F8140EEF84CFDB033030^112^2200100112345678901234512341002GP15077000000AB1^95^AUTH CODE:139744^196^1^119^5000^94^826^224^1^223^1^254^000000^134^1.7404^33^000000^253^5C413DD4331BA4E6436E2E96FDA471D3^107^^32^0000^]
13:06:30.721|0000536|1|66| |O|Receive return code indicates 358 bytes received
13:06:30.721|0000536|1|66| |O|Detached from socket [127.0.0.1:2050] having received [358] bytes
13:06:30.721|0000536|1|66| |O|Received 356 byte response from Handler
13:06:30.721|0000536|1|66| |O|Closing send socket [127.0.0.1:2050]

if you see first 4 line is normal after that again 3 event of old time after that last 4 line is normal

Tags (3)
0 Karma
1 Solution

nitesh218ss
Communicator

Hi

we able to disable automatically at a time of indexing 
when i select file after when you Set Sourcetype 

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

View solution in original post

0 Karma

nitesh218ss
Communicator

Hi

we able to disable automatically at a time of indexing 
when i select file after when you Set Sourcetype 

that time you select timestamp current time then they load normally
I got this idea by Rosie Sennett which help me to solve this problem

0 Karma

nitesh218ss
Communicator

But at time of indexing i use LINE_BREAKER they work correctly but when i add
FIELD_DELIMITER = |
FIELD_NAMES = timee,audit,serviceType,processId,serviceName,indicator,status1,status2,status3,status4,status5,status6
the line break not work

0 Karma

woodcock
Esteemed Legend

This is probably the DUMBEST thing I have ever told anybody to do but here goes. You cannot "disable sort" the way you desire because sorting by _time is at the core of what Splunk fundamentally does. The only way I can see to do what you are asking is to force all events to have the same identical (bogus) time. You can do this with this datetime.xml file:
<datetime>

<define name="_hardcodedate" extract="litmonth, day, year">
<text>(12)(25)(2014)</text>
</define>
<define name="_hardcodetime" extract="hour, minute, second, subsecond">
<text>(01)(23)(45)(678)</text>
</define>

<timePatterns>
<use name="_hardcodetime"/>
</timePatterns>
<datePatterns>
<use name="_hardcodedate"/>
</datePatterns>

</datetime>
This should cause all events to go into the tsidx in the order that they are processed, because each has the same timestamp. It would probably be best if you somehow managed to set the date to a date that moves, rather than hard-coding it (maybe get it from the filename) so that your events appear near-now without having to update your hard-coded day/month values in the datetime.xml.

0 Karma

nitesh218ss
Communicator

i give a solution of this problem please see answer 3

But at time of indexing i use LINE_BREAKER they work correctly but when i add
FIELD_DELIMITER = |
FIELD_NAMES = timee,audit,serviceType,processId,serviceName,indicator,status1,status2,status3,status4,status5,status6
the line break not work?

0 Karma

woodcock
Esteemed Legend

If I am understanding you correctly, you would like to be able to use Splunk to show a reconstituted view of the original file. If so, this should work:


| sort 0 - _indextime | stats list(_raw) by source

0 Karma

nitesh218ss
Communicator

now i able to see raw data but i not able to do any operation like show fields in table, they also sorted order and only top 1000 field they show after that remaining blank.
i want disable automatically time sort after that i do my won operation on that
if you want log file then mail me nitesh.hadoop@gmail.com
i use

[other]
disabled = true

in file C:\Program Files\Splunk\etc\system\default\times.conf
but they also not work

0 Karma

vganjare
Builder

Hi,

Does sorting on _indextime can help you?

Thanks!!

0 Karma

nitesh218ss
Communicator

No they also not work i want Auto time sorting desable but i not able to found how i do?

0 Karma

satishsdange
Builder

Whats the objective of removing timestamp? If you don't need that in report, just use xxx | fields - _time

0 Karma

nitesh218ss
Communicator

i use fields - _time this but they remove field _time but automatic sort base on time not disable result come in time sort order after that also

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...