topic Re: How to define the table column order in CLI searches in Splunk Search

How to define the table column order in CLI searches

ciir — Mon, 16 Nov 2015 10:06:19 GMT

Hi @ all,

I'm using this search:

sourcetype=wineventlog:system (EventCode=20001) | table _time, EventCode, ComputerName, Message | sort _time desc

If invoked in the Splunk GUI, the table has the fields/columns in the order which is defined within the search using the table command.

But if the search is invoked within the Windows cmd.exe or Powershell, the order of the fields is:
EventCode, _time, Message, ComputerName

I've found a similar question here (https://answers.splunk.com/answers/204709/fields-order-when-using-splunk-search-in-command-l.html ), which tells us to use fields field1, field2, .... However, by using the fields, command I can't output my results as CSV. I also tried to rename the fields, but still no luck and the order remains the same.

Any idea how I can explicitly define the order of my columns within a table using a CLI search?

thanks in advance
-ciir

Re: How to define the table column order in CLI searches

woodcock — Mon, 16 Nov 2015 21:55:31 GMT

Show us the command and error when using fields with outputcsv; it should work fine.

Re: How to define the table column order in CLI searches

ciir — Tue, 17 Nov 2015 10:13:23 GMT

Thank you @woodcock for answering.

By doing the searches again I found out the following:

It works, but its not working as it supposed to be.
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields _time, EventCode, ComputerName" -maxout 2 -output csv

and the output is:

"_serial","_time","_raw" ...data...

its in fact csv but not the fields I want.
I also figured out that using Message is not good for csv because it has many linefeeds.

It works fine if and only if I run the search with the table command like this:

.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields _time, EventCode, ComputerName" -maxout 2 -output csv

but again the order is different to what i defined. The order is: EventCode, _time, ComputerName

Re: How to define the table column order in CLI searches

Sebastian2 — Tue, 17 Nov 2015 10:53:45 GMT

Is there maybe a default value for the order, when using Web Search that doesn't affect the CLI search? Have you tried .\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields + _time, EventCode, ComputerName" -maxout 2 -output csv (added a + between fields and _time)

Re: How to define the table column order in CLI searches

ciir — Tue, 17 Nov 2015 11:42:53 GMT

Thank your very much @Sebastian2 the added + does the trick!
But only if it is used the following way:
.\splunk.exe "sourctype="wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields + _time, EventCode, ComputerName" -maxout 2

Re: How to define the table column order in CLI searches

Sebastian2 — Tue, 17 Nov 2015 11:58:45 GMT

Great! Maybe you should consider a bug-report with detailed information for the Splunk Team; I'm sure that doesn't work as intended

Re: How to define the table column order in CLI searches

ciir — Tue, 17 Nov 2015 12:37:49 GMT

I discovered that as soon as you add -output csv the order of the fields are changed.

Re: How to define the table column order in CLI searches

woodcock — Tue, 17 Nov 2015 17:49:22 GMT

Try | fields keepcolorder=t.