Splunk Search

flashtimeline: Results and events sorted in same time order?

smisplunk
Path Finder

In a view like the flashtimeline, there is a selector to choose between the results of the search and the log events from which those results are drawn. If the search includes a term like " ... |stats count(foo) by _time, host", then Splunk handily sorts the results in chronological order. However, if I click over to the events view, these are presented in archaeological order (new stuff on top).

Is there a way that I can get both data views (I'm OK with cloning flashtimeline and creating my own advanced XML to do this...) sorted in the same order?

Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

Not sure whether this works for you, but if you pipe to reverse before the stats, then the job's events will have a reverse sort order, independent of any sorting on the job's final transformed 'results'

<your search> | reverse | stats count(foo) by _time, host

That does make the events in the flashtimeline view appear sorted in ascending time order, and it doesnt affect the stats output

View solution in original post

sideview
SplunkTrust
SplunkTrust

Not sure whether this works for you, but if you pipe to reverse before the stats, then the job's events will have a reverse sort order, independent of any sorting on the job's final transformed 'results'

<your search> | reverse | stats count(foo) by _time, host

That does make the events in the flashtimeline view appear sorted in ascending time order, and it doesnt affect the stats output

smisplunk
Path Finder

I've been able to confirm your statement that issuing the search directly does not produce an error.

I'll also note that in the mean time, we've worked around this issue with a " | sort - _time" command instead.

0 Karma

sideview
SplunkTrust
SplunkTrust

I think this is an intention bug, one that has been fixed at some point since and thats why i cant reproduce it on my (unreleased) build. If this is the case, this bug will dissappear when you go to the search UI directly, and then type in the search yourself. can you try that?

0 Karma

smisplunk
Path Finder

Running 4.1.2, build 79191.

0 Karma

sideview
SplunkTrust
SplunkTrust

Strange. No Im not sure what that means, and I cant reproduce that message (I tried searches with 0 events, with N<10000 events and N>10000 events). According to the docs the reverse command doesnt take any arguments at all. What version are you running? Im on a source build a bit newer than 4.1.2 but there shouldnt be any difference wrt reverse.

0 Karma

smisplunk
Path Finder

When I attempt that, I get an error message in the message bar:

Error in 'reverse' command: Invalid argument: 'None'

Is it possible that there is something in my search results which is confusing reverse?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...