topic Re: Define field order on export in Splunk Search

Define field order on export

CerielTjuh — Wed, 05 May 2010 18:40:07 GMT

Hi there,

I have a saved search that I want to run every day at noon, I am sending the results trough mail and want to analyse them, but the fields order isn't logic.

host="fw.azl.local" type="event" subtype="admin" pri="notice" seq!="" | fields - _* | fields date, time, ui, user, msg, devname, sintf, dintf, saddr, daddr, svr, act

My results are in a different order then the one i am searching for (date, time, etc..) How can i make sure i have the same order in my mail as the search string ?

Thnx !

Re: Define field order on export

bfaber — Fri, 07 May 2010 03:44:13 GMT

What version of Splunk is this? I think that the ordering was an issue prior to 4.0...

Re: Define field order on export

CerielTjuh — Fri, 07 May 2010 13:48:50 GMT

Latest version, 4.1.2, I found out yesterday that if i create a new dashboard with the search, the order is fine, only when i create a saved search and let Splunk e-mail me the results it is messed up.

Re: Define field order on export

bfaber — Sat, 08 May 2010 01:37:10 GMT

That may be a bug -- I'd send it to support@splunk.com...

Re: Define field order on export

kbecker — Fri, 18 Jun 2010 04:27:00 GMT

I was told by support that the field order difference between the the web GUI and saved searches is a bug and should be resolved in 4.1.4.

Re: Define field order on export

gkanapathy — Fri, 18 Jun 2010 05:13:18 GMT

The script that sends emails out specifically re-orders fields by length of content (field with longest value first). I have modified the script to remove this logic, but yes it would be nice if that is being done permanently.

Re: Define field order on export

CerielTjuh — Fri, 18 Jun 2010 13:28:13 GMT

Thnx guys, I will wait for the new release 🙂

Re: Define field order on export

southeringtonp — Mon, 16 Aug 2010 20:44:11 GMT

The email functionality is driven by a script called 'sendemail.py' in the search app. If you're brave, you can do this: - copy sendemail.py to sendemail-custom.py - make any changes you like in that script - add this to apps/search/local/commands.conf: [sendemail] filename = sendemail-custom.py

Your custom version can do whatever you want it to, but the drawback is you now have to maintain it if Splunk makes changes to the original (for example, the addition of PDF emails in Splunk 4.1)

I use a modified version of the script that adds CSS formatting to the email and re-orders the fields if it sees a 'fields' command in the search string.