Hello experts and splunkers,
I have batch job log files being indexed into Splunk.
The actual log looks like below.
It's essentially telling JobA started at 5:35:42 and finished at 5:36:12, and JobA again started at 5:36:12 and finished at 5:36:43.
0,2020-02-09T05:36:43,Server1,End,JobA
,2020-02-09T05:36:12,Server1,Start,JobA
0,2020-02-09T05:36:12,Server1,End,JobA
,2020-02-09T05:35:42,Server1,Start,JobA
When the log file is indexed and I search the index, Splunk returns the same 4 events but in a different sequence like below:
0,2020-02-09T05:36:43,Server1,End,JobA
0,2020-02-09T05:36:12,Server1,End,JobA
,2020-02-09T05:36:12,Server1,Start,JobA
,2020-02-09T05:35:42,Server1,Start,JobA
As you can see, the 2nd and 3rd events have the same _time and the sequence is flipped as compared to the original sequence.
It seems Splunk automatically sort the event by _time when returning events.
I need the result returned in the original sequence.
Is there any way to instruct Splunk return events in the original, actual sequence?
... View more