How to configure Splunk to not put CSV columns in ...

splunk6161 · ‎06-29-2017

When I import the csv file (before indexing), Splunk puts the columns in alphabetical order.
I would keep the sort as in the csv file.
thanks

woodcock · ‎06-29-2017

Splunk does not change anything upon indexing. What you are seeing is the fact that Splunk automatically sorts fields alphabetically if you do something like | table * so instead, list out the fields in the order that you like with | table field1 field2 field3 fieldz.

splunk6161 · ‎06-30-2017

ok but its possible to see columns NOT in alphabetical order before indexing?

woodcock · ‎06-30-2017

Splunk indexes the files EXACTLY AS THEY ARE. It does not resort columns. So sort them in the order you like before Splunk gets a look at them.

sbbadri · ‎06-29-2017

Hello,

you can do the following,

$SPLUNK_HOME/etc/apps//local/transforms.conf

[extract_csv]
filename = extract.csv
index_fields_list = field1, field2 ....

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...