Getting Data In

What decides the order of the fields output in CSV files from Splunk, and is there a way to control the order?

xiyangyang
Path Finder

We output .csv file from splunk.

When we test on a test machine, the order of CSV file fields is "Action", "Returncode", "_time","host","DB_User","OS_User","Userhost","Terminal".

However, when we run this in production, "Action" and "Returncode" become last, so the order changes to "_time","host","DB_User","OS_User","Userhost","Terminal", "Action", "Returncode".

We simply want to know what decides the field order of a .csv file which is output from Splunk? Is there anyway we can control the order?

0 Karma

jluo_splunk
Splunk Employee
Splunk Employee

Hi xiyangyang,

It turns out field ordering only happens on the search UI. Command line search does not do this ordering. If you'd like to control the order when you export to CSV, you can do a work around with an approach similar to the one used here : https://answers.splunk.com/answers/60017/search-jobs-export-changes-order-of-columns-unexpectedly.ht...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...