Splunk® Cloud Services

SPL2 Search Reference

reverse command examples

The following are examples for using the SPL2 reverse command. To learn more about the reverse command, see How the SPL reverse command works.

1. Reverse events

This example shows a set of events returned from a search. By default, events are returned with the most recent event first.

Time Event
17 Sep 2021 6:20:54.000 PM 182.236.164.11 - - [17/Sep/2021:18:20:54] "POST /cart/success.do?JSESSIONID=SD6SL8FF10ADFF53101 HTTP 1.1" 200 356 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-6" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 220
17 Sep 2021 6:18:59.000 PM 198.35.1.75 - - [17/Sep/2021:18:18:59] "POST /cart/success.do?JSESSIONID=SD10SL2FF4ADFF53099 HTTP 1.1" 200 2568 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-16" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 386
17 Sep 2021 6:16:23.000 PM 221.204.246.72 - - [17/Sep/2021:18:16:23] "POST /cart/success.do?JSESSIONID=SD9SL7FF3ADFF53096 HTTP 1.1" 200 1206 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-18" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3" 596
17 Sep 2021 6:13:34.000 PM 91.205.189.15 - - [17/Sep/2021:18:13:34] "POST /cart/success.do?JSESSIONID=SD10SL4FF1ADFF53066 HTTP 1.1" 200 3129 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-21" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 591

When you add the reverse command to the end of your search, the rows are reversed showing the oldest event first.

Time Event
17 Sep 2021 6:13:34.000 PM 91.205.189.15 - - [17/Sep/2021:18:13:34] "POST /cart/success.do?JSESSIONID=SD10SL4FF1ADFF53066 HTTP 1.1" 200 3129 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-21" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 591
17 Sep 2021 6:16:23.000 PM 221.204.246.72 - - [17/Sep/2021:18:16:23] "POST /cart/success.do?JSESSIONID=SD9SL7FF3ADFF53096 HTTP 1.1" 200 1206 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-18" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3" 596
17 Sep 2021 6:18:59.000 PM 198.35.1.75 - - [17/Sep/2021:18:18:59] "POST /cart/success.do?JSESSIONID=SD10SL2FF4ADFF53099 HTTP 1.1" 200 2568 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-16" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 386
17 Sep 2021 6:20:54.000 PM 182.236.164.11 - - [17/Sep/2021:18:20:54] "POST /cart/success.do?JSESSIONID=SD6SL8FF10ADFF53101 HTTP 1.1" 200 356 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-6" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 220

2. Reverse aggregated results

The following search uses the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server.

FROM main WHERE sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host

The results look something like this:

host GET POST
www1 8431 5197
www2 8097 4815
www3 8338 4654

Add the reverse command to the end of the search.

FROM main WHERE sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host | reverse

The rows in the results are reversed.

host GET POST
www3 8338 4654
www2 8097 4815
www1 8431 5197

See also

reverse command
reverse command overview
reverse command syntax details
reverse command usage
Last modified on 31 January, 2024
reverse command usage   rex command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters