Getting Data In

CSV coming in report is out of order

Path Finder

I have a pretty weird question. I have a query that I have saved and is emailing out nightly. In the query I have used the 'fields' option to lay out the report in the order I want. When I get my nightly report with .csv attached the fields are not in the correct order, but if I click the link in the email (or go to the saved search in the Web UI) they are in the correct order.

My query is listed below for reference but this is happening with several queries.

Name: 'Service Calls by Time' 

Query Terms: 'index=app-myapp sourcetype="AccessLog" ServiceName="*" | stats count, avg(ResponseTime) as AverageResposeTime, min(ResponseTime) as MinResponsetime, max(ResponseTime) as MaxResponsetime, stdev(ResponseTime) as STDDevResponseTime by ServiceName, AccessLogsHTTPResposeCode | eventstats sum(count) as total_hits by ServiceName| eval percent_errors=(100 - (count/total_hits)*100) | eval server_errors(500s)=(total_hits-count) | eval success=(count) | where AccessLogsHTTPResposeCode=200| fields ServiceName, success, server_errors(500s), percent_errors, total_hits, AverageResposeTime,MinResponsetime, MaxResponsetime,STDDevResponseTime | sort - total_hits'

from last nights .csv the output fields are in the following order

success, MaxResponsetime, ServiceName, server_errors(500s), percent_errors, AverageResposeTime, STDDevResponseTime, MinResponsetime, total_hits

Also in writing this question I went back and reviewwed the past 7 days worth or reports and the fields seem to be consistent in how they are wrong.

But if I run interactively they look fine.

Brian

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The default email script sorts the field in order of shortest to longest content, regardless of what your search specifies (though _time is first if it's present). I don't really think it's useful for it to do this either, so it would be helpful if you'd file an enhancement request to have this functionality changed/removed.

View solution in original post

0 Karma

Path Finder

This is logged as Case #52387

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!