Getting Data In

CSV coming in report is out of order

brianirwin
Path Finder

I have a pretty weird question. I have a query that I have saved and is emailing out nightly. In the query I have used the 'fields' option to lay out the report in the order I want. When I get my nightly report with .csv attached the fields are not in the correct order, but if I click the link in the email (or go to the saved search in the Web UI) they are in the correct order.

My query is listed below for reference but this is happening with several queries.

Name: 'Service Calls by Time' 

Query Terms: 'index=app-myapp sourcetype="AccessLog" ServiceName="*" | stats count, avg(ResponseTime) as AverageResposeTime, min(ResponseTime) as MinResponsetime, max(ResponseTime) as MaxResponsetime, stdev(ResponseTime) as STDDevResponseTime by ServiceName, AccessLogsHTTPResposeCode | eventstats sum(count) as total_hits by ServiceName| eval percent_errors=(100 - (count/total_hits)*100) | eval server_errors(500s)=(total_hits-count) | eval success=(count) | where AccessLogsHTTPResposeCode=200| fields ServiceName, success, server_errors(500s), percent_errors, total_hits, AverageResposeTime,MinResponsetime, MaxResponsetime,STDDevResponseTime | sort - total_hits'

from last nights .csv the output fields are in the following order

success, MaxResponsetime, ServiceName, server_errors(500s), percent_errors, AverageResposeTime, STDDevResponseTime, MinResponsetime, total_hits

Also in writing this question I went back and reviewwed the past 7 days worth or reports and the fields seem to be consistent in how they are wrong.

But if I run interactively they look fine.

Brian

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

0 Karma

brianirwin
Path Finder

This is logged as Case #52387

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...