Getting Data In

DB Connect: How to prevent append command from sorting columns in alphabetical order in the result set?

pramit46
Contributor

I have a query that looks like the following:
index=<> host=<> |rex=<> spath <>|table a,k,h|sort time|append[|dbquery DB "select X,Z,W,P from table_T where <> Order By time_col"]

the result set has the following columns:
a|k|h|P|W|X|Z
While I expect
a|k|h|X|Z|W|P

How can I get rid of this automatic alphabetical sorting?
While I run the dbquery alone, it works fine and shows me the expected columns.

1 Solution

russellliss
Path Finder

I have gotten around this before by using the table command, so in your example :

index= host= |rex= spath |table a,k,h|sort time|append[|dbquery DB "select X,Z,W,P from table_T where  Order By time_col"] | table a,k,h,X,Z,W,P

View solution in original post

russellliss
Path Finder

I have gotten around this before by using the table command, so in your example :

index= host= |rex= spath |table a,k,h|sort time|append[|dbquery DB "select X,Z,W,P from table_T where  Order By time_col"] | table a,k,h,X,Z,W,P

pramit46
Contributor

Thanks a lot @russellliss. This was really helpful

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...