Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sort database field name results in the Events tab in descending order?

Monica7
New Member
‎05-05-2016 01:37 AM

Hi,

I am having Splunk Light installed in server1 and Splunk forwarder installed in server2. I just want to track the data which is available in database in Server2 from server1. For that, I have written scripted input which will take the records from server2 MySQL database and forwarder which is installed in server2 indexes the data in server1 Splunk Light instance.

Thing is now I am able to see the database records which are available in server2 from server1 (thru Splunk Web), but those records are coming in ascending order instead of displaying latest at the topalt text

in the above screenshot, in events tab, details of highlighted values (43128,43129, 43130) coming in ascending order. Actually 43128 is denoting wid, which is one of the field names in the database table in server2. I just want to get the event tab with the latest wid and its details at the top, so 43130 should come first.

Please help me on how to sort the field which is available in the event in descending order.

I have tried like mysearch|eval wid=abs(wid)|sort wid, but that is also showing the same output like above.

Tags (3)
Preview file
1 KB
0 Karma
Reply

dkoshe_splunk
Splunk Employee
Splunk Employee
‎05-05-2016 09:45 AM

Note that in Splunk Light, since it's a single instance, indexer is running with search head and splunkweb on server1 in your case.
When you go to Splunkweb, in the search results (same as your screenshot), you can see the fields Splunk Light has auto-extracted for you.
Click on the 14 more fields, and see if the id field is auto extracted, if it is, then use that field name for sorting, using | sort command as per suggestion above.
If the id field is not auto extracted, please click on the extract new fields flow, which will take you to field extraction UI wizard, that will let you choose part of the event as a new extracted field.
Hope this helps.

0 Karma
Reply

Monica7
New Member
‎05-09-2016 05:21 AM

Hi,

Its working now after extracting new fields. Thanks a lot for your help. But thing is why data is shown in ascending order before doing mysearch|eval wid=abs(wid)| sort - wid in search head.

Actually it should come with latest in the top irrespective of using sort command.please guide me whether I have missed anything?

0 Karma
Reply

dkoshe_splunk
Splunk Employee
Splunk Employee
‎05-09-2016 10:22 AM

By default the latest are on the top, but the latest is determined by the timestamp and not by custom field. If your data from database has timestamp, then you should associate that field as timestamp, (I did not see any time field in your raw event in the screenshot) then search results will automatically sort by the latest on top.

For any custom field, such as wid in this case, you will have to sort it by | sort command.

0 Karma
Reply

Monica7
New Member
‎05-09-2016 10:42 AM

Hi,

The field before event (Time) is the timestamp do you mean here ?.

Actually in my events tab,in that list of fields like wid,etc.last field is denoting timestamp.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-05-2016 02:34 AM

Hi Monica,
Have you tried below both searches? Does it see any difference in events?

 mysearch|eval wid=abs(wid)| sort wid

and

mysearch|eval wid=abs(wid)| sort - wid

Can you please try these searches ?

0 Karma
Reply

Monica7
New Member
‎05-05-2016 02:59 AM

Do I need to add my database field names anywhere in the splunk web?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-05-2016 03:09 AM

yes , Monica,

do you have any field extraction configuration for this events ??

0 Karma
Reply

Monica7
New Member
‎05-05-2016 03:18 AM

I have added below lines in configuration files of Splunk forwarder.
Is It correct?

props.conf:

[my_drupalwatchdog_data]
TIME_PREFIX=^[^|]+|
TIME_FORMAT = %Q
MAX_TIMESTAMP_LOOKAHEAD=10
SHOULD_LINEMERGE=false
description = Output produced by the Drupal server

transforms.conf:

my_db_extractions]
DELIMS = "|"
FIELDS =wid,uid,type, message,variables,severity,link,location,referer,hostname,timestamp

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-05-2016 04:21 AM

Hi Monica,

checked .

have you tried this configuration on indexer??/

and

please check below link for which configuration should be on forwarder and which on indexer. I hope it will help you..

https://wiki.splunk.com/Community:HowIndexingWorks

0 Karma
Reply

Monica7
New Member
‎05-05-2016 04:45 AM

Hi,

I have gone through the link. But still I am unclear about what files I have to modify on Splunk light indexer for scripted input.

Apart from this, Regular configurations for splunk light and splunk forwarder is already done and data is getting forwarded correctly.

I need the configurations which has to be done for scripted input. can you please help me on this.

0 Karma
Reply

Monica7
New Member
‎05-05-2016 02:56 AM

No Kamlesh its not working. I have tried both

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...