Re: How can I keep order of fields in plain format...

Masa · ‎02-10-2012

In email alert as plain text format, the order of fields of a search result is not kept. It is rearranged to keep shorter field first.

For example,



==> SavedSearch Result

 TIME                   COUNT


2012/02/10 09:05:00    163


2012/02/10 09:06:00    1810


2012/02/10 09:07:00    1115


2012/02/10 09:08:00    1240


2012/02/10 09:09:00    672

==> Same search result sent in Email alert (Plain Text)
COUNT TIME

163 2012/02/10 09:05:00

1810 2012/02/10 09:06:00

1115 2012/02/10 09:07:00

1240 2012/02/10 09:08:00

672 2012/02/10 09:09:00

How can I keep the fields order of the search result in plain text email alert?

woodcock · ‎09-08-2019

It is reordering them based on alphabetical order. To keep the order, add this to the bottom:

| rename TIME AS " TIME"

wryanthomas · ‎09-08-2019

That was not my experience. It was sorting them as the documentation indicates -- by an internal assessment of the length (or width) of fields. You can now set that setting -- width_sort_columns -- to "false" in the GUI.

woodcock · ‎09-08-2019

Interesting.

Masa · ‎02-10-2012

In 4.3, we added an attribute for [email] stanza in alert_actions.conf

- alert_actions.conf
[email]
width_sort_columns = 0

This will keep the order of search result in plain text email.

Unfortunately you cannot select this option through WebGUI at this time. So, you need to edit alert_actions.conf manually.

wryanthomas · ‎09-08-2019

It is now available in the gui, under "advanced edit" for the alert.

How can I keep order of fields in plain format of an alert email?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?