Splunk Search

How to arrange table values according to the time present in a log file?

rajeswarir
New Member

I have a created table using query

source="logfile1.log" OR source="logfile2.log" OR source="3logfile3.zip:*" Cycle={C3*}
|transaction CommonField
|table S.No Cycle FilterCriteria A1_Time K_Time A2_Time D_Time|eval S.No=1 | accum S.No

I want to arrange the table values according to time present in a log file for each event.

0 Karma

niketn
Legend

@rajeswarir can you add sample of events from your log which contain timestamp? Does _time for each event at search time does not correspond to timestamp field in your log? What is CommonField? Can you add details on how many events it will correlate? FYI - the _time for multiple correlated events through is usually the _time of the earliest event.

Please add sample data, current output and expected output for us to assist you better. You should mask/anonymize any sensitive information before posting here on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

493669
Super Champion

Use sort command that sorts all of the results by the specified fields.

...|transaction CommonField|sort 0 - _time|table ...
0 Karma

rajeswarir
New Member

I tried but this is not working out. Do u have any other way. Since i am extracting data from 3 different log files.
I am taking CommonField and getting A1_Time from logfile1.log, K_Time from logfile2.log and A2_Time D_Time from logfile3.log. So the time also differs in all log files. How to arrange based on time from 2 log fiels since in logfile1.log time is not present for events and in logfile2.log & logfile3.log time is present.
time format example in log file:10:06:46.252

0 Karma

493669
Super Champion

you need to configure timestamp i.e. _time using time field present in log files and set it in props.conf-
use

TIME_PREFIX = <REGEX to extract timestamp field from log file>
TIME_FORMAT = <Use the TIME_FORMAT>

For reference have a look at-
http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configuretimestamprecognition

So this will store your particular log field as _time and then you can sort it using _time

0 Karma

493669
Super Champion

Hi @rajeswarir,
If this answers your question then accept the answer to close this question

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...