Solved: Missing columns when exporting to CSV

rhysjones · ‎12-08-2010

Hello,

I have a search that returns 3 columns of data allowing us to check the first logon of the day (or last logoff of the dat) for accounts. (see below). The issue is that when we go to Export to CSV when logged on as a limited access user, we only get the first 2 columns. So, we list Date, UserName, and Time, and in the export we only get Date and UserName. If we go in as the admin user we get all 3 columns correctly. I am not sure what permissions options would be required to add that extra column.

We currently use v4.1.3 but are planning to upgrade.

Thanks for any thoughts on this !

Rhys

gkanapathy · ‎12-09-2010

There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)

It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).

View solution in original post

shresthas · ‎07-15-2014

When I am doing export search using java sdk, I am missing columns when I running this query.

search sourcetype=sourcetype_1 OR (sourcetype=sourcetype_2 NOT (Session_Duration="Session Duration"))|rex field=sourcetype "(?[^\W]+)(?[^_\W]+)" |eval client_ip_address = Client_Address|eval Document_Session_Duration = Session_Duration| eval Message=replace(Message, ",","-")| eval Document=replace(Document, ",","-")| iplocation client_ip_address|table Timestamp,User,Document,Message,Document_Session_Duration,server_type, source_log_type, host, client_ip_address, City, Country

what gives ? I am using splunk 6.1.1

rhysjones · ‎01-07-2011

I can now confirm that adding an "_" in the column name (removing the blank space) resolves the problem. Thanks gkanapathy.

rhysjones · ‎12-10-2010

Yes, thats correct, all columns are visible on screen. This is only a problem for the limited access user when using the Action / Export feature in the WEB GUI. I'll try the suggestion below regarding spaces in the field name and see if that helps. Thankyou.

gkanapathy · ‎12-09-2010

There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)

It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).

rhysjones · ‎12-12-2010

I am actually going to be away for a few weeks so I'll have to give this a go when I return. THankyou for the feedback !

gkanapathy · ‎12-10-2010

Can't blame you. It's a bug.

rhysjones · ‎12-10-2010

Thankyou. I'll give that a try. Didn't occur to me to look at spaces in the names ! Thanks again.

southeringtonp · ‎12-08-2010

Just to clarify - when the limited access user runs the query interactively, are all of the columns available? They're only missing when you actually do the export?

Missing columns when exporting to CSV

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation