I would like to have the same order of fields from the result when executing a search command from the user interface and from command line.
Eg when I execute
index=idx_lyl earliest=10/01/2014:0:0:0 latest=11/03/2014:23:59:59 criticity!=".Info" AND criticity!=".Debug" AND criticity!="*Notice" | timechart count by criticity | sort + _time
from the Splunk UI, the fields are in that order
"_time","-.Error","Daemon.Error","Daemon.Warning","Kern.Alert","Kern.Critical","Kern.Error","Kern.Warning","Local4.Error","Local7.Error","Local7.Warning",OTHER
But when I ran the same search from command line the fields are in a different order ie
"-.Error","Daemon.Error","Daemon.Warning","Kern.Alert","Kern.Critical","Kern.Error","Kern.Warning","Local4.Error","Local7.Error","Local7.Warning",OTHER,"_time","_span","_spandays"
The search from command line being used is
splunk search "index=idx_lyl earliest=10/01/2014:0:0:0 latest=11/03/2014:23:59:59 criticity!=\".Info\" AND criticity!=\".Debug\" AND criticity!=\"*Notice\"
| timechart count by criticity | sort + _time" -preview 0 -maxout 0 -output csv > result.csv
Thanks
... View more