This fails
...
| eval _time=if(sourcetype like "amal%", strftime(time, "%Y-%m-%dT%T.%6N%Z"), _time)
| sort - _time
| jsonformat raw order=sort indent=2
with the error message:
Error in 'jsonformat' command: The external search command 'jsonformat' did not return events in descending time order, as expected.
Most likely just the wrong Configuration options.
This fails
with the error message:
Most likely just the wrong Configuration options.