Getting Data In

CSV coming in report is out of order

brianirwin
Path Finder

I have a pretty weird question. I have a query that I have saved and is emailing out nightly. In the query I have used the 'fields' option to lay out the report in the order I want. When I get my nightly report with .csv attached the fields are not in the correct order, but if I click the link in the email (or go to the saved search in the Web UI) they are in the correct order.

My query is listed below for reference but this is happening with several queries.

Name: 'Service Calls by Time' 

Query Terms: 'index=app-myapp sourcetype="AccessLog" ServiceName="*" | stats count, avg(ResponseTime) as AverageResposeTime, min(ResponseTime) as MinResponsetime, max(ResponseTime) as MaxResponsetime, stdev(ResponseTime) as STDDevResponseTime by ServiceName, AccessLogsHTTPResposeCode | eventstats sum(count) as total_hits by ServiceName| eval percent_errors=(100 - (count/total_hits)*100) | eval server_errors(500s)=(total_hits-count) | eval success=(count) | where AccessLogsHTTPResposeCode=200| fields ServiceName, success, server_errors(500s), percent_errors, total_hits, AverageResposeTime,MinResponsetime, MaxResponsetime,STDDevResponseTime | sort - total_hits'

from last nights .csv the output fields are in the following order

success, MaxResponsetime, ServiceName, server_errors(500s), percent_errors, AverageResposeTime, STDDevResponseTime, MinResponsetime, total_hits

Also in writing this question I went back and reviewwed the past 7 days worth or reports and the fields seem to be consistent in how they are wrong.

But if I run interactively they look fine.

Brian

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

View solution in original post

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

0 Karma

brianirwin
Path Finder

This is logged as Case #52387

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...