Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Make splunk return latest results first

godouet
New Member
‎08-26-2016 04:22 AM

Hi,

I have a dashboard with search queries which take tens of seconds to run. The results are displayed as charts, and they tend to come in random order (i.e. we see the line grow randomly across the X axis). Yet what I tend to worry the most about are the most recent days.

I was wondering if there was a way to give a hint to Slunk to specify that I am more interested in seeing the latest results first?
I understand this may not be in a strict order given the map-reduce, but if say each indexer returned the results in that order it would already be helpful.

Thx,
Thibault.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-26-2016 08:09 AM

Splunk has two search modes, returning data in reverse time order or batch mode without that ordering. See http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/Configurebatchmodesearch for some background info. Whenever Splunk can use batch mode (e.g. counting events, time order doesn't matter), performance will improve.

You could turn batch mode off (see docs link) to always get reverse time order, but I'd rather recommend improving the searches powering your charts.

Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-26-2016 05:58 AM

from a similar post -
Splunk starts to search events at the current time, and progressively search backward in the past.
first() returns the first seen result -> the most recent reference
last() returns the last seen result - > the oldest reference
documentation -
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

Splunk is a reverse time-series index, so while it might be confusing, it is technically correct. The results of a Splunk search are ordered by default from most recent to least recent.

if you give us the queries you use and the timeline, we can do some troubleshooting.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-26-2016 08:10 AM

Please do not link to 4.3.1 documentation, that version had its end of life many years ago. Many concepts were added since then, e.g. batch mode search.
If anyone's still using 4.3.1, please upgrade.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-26-2016 02:23 PM

Here is the current doc link: http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CommonStatsFunctions

Reply

godouet
New Member
‎08-26-2016 08:02 AM

So from what you say it should do what I would like out of the box, i.e. starts from the latest event and gradually go further back in time?

An example of a query is:

earliest=-14d@d latest=@d index=license_summary source=License_Accounting host=XYZ | eval GB=bytes/1024/1024/1024 | timechart span=1d eval(round(sum(GB),0)) by pool

The strange thing is that when I just ran this again, and the result from 2 weeks ago was one of the first to come back.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-26-2016 04:37 AM

Have you considered datamodel acceleration to just make things run fast enough to not care about ordering?

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...