We output .csv file from splunk.
When we test on a test machine, the order of CSV file fields is "Action", "Returncode", "_time","host","DB_User","OS_User","Userhost","Terminal".
However, when we run this in production, "Action" and "Returncode" become last, so the order changes to "_time","host","DB_User","OS_User","Userhost","Terminal", "Action", "Returncode".
We simply want to know what decides the field order of a .csv file which is output from Splunk? Is there anyway we can control the order?
Hi xiyangyang,
It turns out field ordering only happens on the search UI. Command line search does not do this ordering. If you'd like to control the order when you export to CSV, you can do a work around with an approach similar to the one used here : https://answers.splunk.com/answers/60017/search-jobs-export-changes-order-of-columns-unexpectedly.ht...