Re: How to sort the output baed on time and host?

shahhe · ‎01-25-2011

How can I order the results by time (_time + _subsecond fields) and then by host field?

Thanks.

shahhe · ‎01-26-2011

I could not figure out how to markdown text in the comments, so I am posting my script as an answer.

Here is the python script

import time
import string
import splunk 
import splunk.auth 
import splunk.search

searchQuery = r"search sourcetype=retrans daysago=1 WARNING | sort _time"
splunk.mergeHostPath('splunkserv:8089', True) 
key = splunk.auth.getSessionKey('user','passwd') 
job = splunk.search.dispatch(searchQuery) 

while not job.isDone: 
time.sleep(1) 

for x in job.events: 
   print x.fields 

job.cancel()

Paolo_Prigione · ‎01-26-2011

Try appending this to your search string:

| sort -_time +host

Which will sort in descending time order, then ascending host order

shahhe · ‎01-26-2011

sourcetype="retrans" daysago="1" WARNING | sort _time

This query works from the web interface, but not from my python script.

Paolo_Prigione · ‎01-26-2011

Could you post your complete search string?

shahhe · ‎01-26-2011

I also tried '| sort _time' and I get no results.

shahhe · ‎01-26-2011

Thanks for the answer.
This query returns rows in descending order.
How do I sort in ascending order by time?
When I use +_time I get nothing.

How to sort the output baed on time and host?

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!