Splunk Search

sorting by latest event - dashboard - table

mcbradford
Contributor

I have a dashboard with a few table views. I want the first event to be the most recent event (so sort by most recent event) - like the way they are displayed by default when you do a search. I do not have a time stamp field.

Tags (1)
0 Karma

Ayn
Legend

You always have a timestamp field! It's called _time and by sorting descending by it you get the most recent events first.

... | sort - _time

Ayn
Legend

You're doing "top" as the second command in that search. top generates statistics on events and returns the aggregated statistics for the events, so the details for those events (including timestamp) will not be available after running top. This is why sorting by _time does not work in this search. What is it you want the search to show?

0 Karma

mcbradford
Contributor

index=myindex action="AUTHN_LOGIN_EVENT" result="SUCCESS" my-Users earliest=-24h | top login_name, last_name, first_name | eval emp_name=last_name. ", " .first_name|rename emp_name as "Employee Name" | rename login_name as User-ID | table "User-ID" "Employee Name"| sort - _time
Successful My Users

This will not sort by _time

0 Karma

Ayn
Legend

You need to specify how it "did not work". What does your search look like? What does your dashboard XML look like? By default Splunk is returning the latest events first, so if the events in your table are sorted in any other order that implies you are doing something else in your search that interferes with that default behaviour.

0 Karma

mcbradford
Contributor

I tried this and it did not work, so instead I tried | top _time, field1, field2 and this works. The only problem this creates is field1 might be repeated. If I dedup field one, I get less than 10 results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...