rtorder

rtorder

Synopsis

Buffers events from real-time search to emit them in ascending time order when possible.

Syntax

rtorder [discard=<bool>] [buffer_span=<span-length>] [max_buffer_size=<int>]

Optional arguments

buffer_span

Syntax: buffer_span=<span-length>

Description: Specify the length of the buffer. Default is 10 seconds.

discard

Syntax: discard=<bool>

Description: Specifies whether or not to always discard out-of-order events. Default is false.

max_buffer_size

Syntax: max_buffer_size=<int>

Description: Specifies the maximum size of the buffer. Default is 50000, or the max_result_rows setting of the [search] stanza in limits.conf.

Description

The rtorder command creates a streaming event buffer that takes input events, stores them in the buffer in ascending time order, and emits them in that order from the buffer only after the current time reaches at least the span of time given by buffer_span after the timestamp of the event.

Events will also be emitted from the buffer if the maximum size of the buffer is exceeded.

If an event is received as input that is earlier than an event that has already been emitted previously, that out of order event will be emitted immediately unless the discard option is set to true. When discard is set to true, out of order events will always been discarded, assuring that the output is always strictly in time ascending order.

Examples

Example 1: Keep a buffer of the last 5 minutes of events, emitting events in ascending time order once they are more than 5 minutes old. Newly received events that are older than 5 minutes are dicarded if an event after that time has already been emitted.

See also

sort

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rtorder command.

• Was this topic useful?
• Post a comment