How to configure Splunk to not put CSV columns in ...

splunk6161 · ‎06-29-2017

When I import the csv file (before indexing), Splunk puts the columns in alphabetical order.
I would keep the sort as in the csv file.
thanks

woodcock · ‎06-29-2017

Splunk does not change anything upon indexing. What you are seeing is the fact that Splunk automatically sorts fields alphabetically if you do something like | table * so instead, list out the fields in the order that you like with | table field1 field2 field3 fieldz.

splunk6161 · ‎06-30-2017

ok but its possible to see columns NOT in alphabetical order before indexing?

woodcock · ‎06-30-2017

Splunk indexes the files EXACTLY AS THEY ARE. It does not resort columns. So sort them in the order you like before Splunk gets a look at them.

sbbadri · ‎06-29-2017

Hello,

you can do the following,

$SPLUNK_HOME/etc/apps//local/transforms.conf

[extract_csv]
filename = extract.csv
index_fields_list = field1, field2 ....

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Free LIVE events worldwide 2/8-2/12Connect, learn, and collect rad prizes and swag!Sign up now >

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >