Reputation: 9898
Splunk - Export events in received order
I am working with an instance of Splunk that collects logs from a local server. I noticed that some events are in the wrong order, e.g., some events are associated with a date in year 2020, while I know for sure - cross-checked with a local log - that they were produced a couple of days ago.
I am unable to retrieve all the logs from the local server, therefore I want to export the logs from Splunk, where they are stored after execution from the local server. However, the export (with the | reverse operation), produces a log where most of the lines are in the right order of execution, but ~20% of them is in the wrong order.
Is there a way to export the raw events, in the order they were received by Splunk, and not in the order based on the Splunk's timestamp?
Upvotes: 0
Views: 869
Answers (1)
Reputation: 9926
It sounds like you may have a problem with parsing timestamps so Splunk is incorrectly reading part of the data as the year 2020. Review the props.conf settings for the sourcetype to make they're correct for the data. But that's not the question you asked.
Splunk has a hidden field called _indextime that stores when the event was written to disk. You can sort on this field, but will have to copy it to a non-hidden field first.
<your search>
| eval indexTime=_indextime
| sort + indexTime
...
Upvotes: 2
Related Questions
- Splunk Event JSON to Table
- Splunk : extract multiple values from each event
- splunk query based on log stdout
- Splunk data export using API
- Event viewer logs to .txt file non-encrypted
- Splunk: Stats from multiple events and expecting one combined output
- How to download the raw log files from splunk
- How to add custom field to events in Splunk?
- Splunk - Get Prefefined Outputs Based on the event count and event data
- Splunk Custom Log format Parsing