I am Japanese. Posting using google translation.
I want to output the CSV file uploaded to Splunk in the original field order with a header.
However, when you upload a CSV file to Splunk, the fields are sorted alphabetically.
Please let me know if there is a way to not sort when uploading.
Or, please let me know if there is a way to restore the order when outputting.
@lloydknight is correct; the
Lookup File Editor app will show you all fields, including invisible fields that begin with underscore (
_ ) characters, in the exact order that they appear. This app is built into
Enterprise Security or you can install it on any other Search Head here:
Thank you for the advice.
When I tried
Lookup File Editor App, the display was the original display.
However, after uploading data, I want to execute search and table commands. (Execute by query on the dashboard.)
Eventually it was replaced with a table command and it did not work.
I am a contributor.
I'm sorry. I misunderstood the cause of the problem.
It seems that the column order problem is not due to csv upload but to the table command specification.
This is the end of this question.
Thank you for your cooperation.
You should use the
table command before the final output.
If you want to create dashboard:
<fields>your expected fields order</fields>
please use this option.
Yes, I use the dashboard.
What I want to do is:
1. Upload log data in CSV format
2. Analyze log data in dashboard using homebrew APP.
(APP calculates the analysis result for each log line)
3. Combine the original log data and analysis results and output as CSV file.
Here is an example.
col_a, col_b, col_c
aaa, bbb, ccc
ddd, eee, fff
ggg, hhh, iii
col_a, col_b, col_c, Result
aaa, bbb, ccc, 1
ddd, eee, fff, 2
ggg, hhh, iii, 3
However, when output, the order of col_a, col_b, col_c, will change.
I think it is because it is sorted when uploading.