Move _time to the last column in the attached mail

rayar — Wed, 30 Sep 2020 04:50:31 GMT

How I can move _time column to be the last on the an attached csv file in the email send by scheduled report

the query returns the _time as the last column but in the attached mail it's set as a fist column

the query

.
.
.
| table USER_ID duser FIRST_NAME LAST_NAME Duration cn1 _time
| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| outputcsv vpn_data.csv

Re: Move _time to the last column in the attached mail

anmolpatel — Wed, 30 Sep 2020 04:51:03 GMT

@rayar as per the doc for output command, it adds the _time field to the front.
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv#Internal_fields_and_the_outputcsv_command

if you want to have the strict order, here is a workaround:

| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| eval time = strftime(_time, "%Y-%d-%m %H:%M:%S")
| fields USER_ID duser "First Name" "Last Name" Duration "Duration (sec)" time
| outputcsv vpn_data.csv

topic Move _time to the last column in the attached mail in Splunk Search

Move _time to the last column in the attached mail

Re: Move _time to the last column in the attached mail