How I can move _time column to be the last on the an attached csv file in the email send by scheduled report
the query returns the _time as the last column but in the attached mail it's set as a fist column
the query
.
.
.
| table USER_ID duser FIRST_NAME LAST_NAME Duration cn1 _time
| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| outputcsv vpn_data.csv
@rayar as per the doc for output command, it adds the _time field to the front.
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv#Internal_fields_a...
if you want to have the strict order, here is a workaround:
| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| eval time = strftime(_time, "%Y-%d-%m %H:%M:%S")
| fields USER_ID duser "First Name" "Last Name" Duration "Duration (sec)" time
| outputcsv vpn_data.csv