From df1c2bac5fa39467b6bee9a6b1dd68d00f6737ae Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Tue, 9 Oct 2018 11:12:00 -0400
Subject: [PATCH] Fix Splunk forensic dashboard sorting

---
 splunk/dmarc_forensic_dashboard.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/splunk/dmarc_forensic_dashboard.xml b/splunk/dmarc_forensic_dashboard.xml
index a4d611b..f501b76 100644
--- a/splunk/dmarc_forensic_dashboard.xml
+++ b/splunk/dmarc_forensic_dashboard.xml
@@ -38,7 +38,7 @@
       <title>Forensic samples</title>
       <table>
         <search>
-          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | stats count by _time,parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -_time</query>
+          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | stats count by arrival_date_utc,parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
           <earliest>$time_range.earliest$</earliest>
           <latest>$time_range.latest$</latest>
         </search>
@@ -95,4 +95,4 @@
       </table>
     </panel>
   </row>
-</form>
+</form>
\ No newline at end of file