- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Outputlookup creating csv with columns that are al...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that gathers a bunch of data from various sources and appends to 1 big stats that I have reporting in a customized column order.
After I weed out some things I don't like, it looks perfect in search, so I appended a:
| outputlookup file.csv
to the very bottom so it'd write to a reusable csv.
When I look at the dataset/csv it is rearranging my columns into an alphabetical order (caps first).
Is there any way to keep my order in the csv so when I reference it later in an inputlookup I don't need to manually reorder it everytime?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.
In the end, I fixed it differently (going to share how for the next person). Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report! It's probably a better way anyway.
Once the report was scheduled, I leverage it using
loadjob savedseach="user:app:reportname"
This preserves column order!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a table command in the query? That's a sure way to set the order in which fields appear.
Why do you have to reorder fields following inputlookup? Splunk doesn't care what the order is.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I leveraged stats to create the output in a specific order, not table.
It appears that the outputlookup is rearranging my reusable csv alphabetically and then when I call it later it's showing this new alphabetical order.
I'd rather it be in the same order as my stats so that I don't have to reorder every time I call the csv.
(you are right that splunk doesn't care about order, but I do 🙂 )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try putting a table command before outputlookup to enforce the field order. Not sure if it will help, but it might.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was hoping to not have to create a table for each, hence the original question.
That being said, if splunk likes to alphabetize outputlookup tables, then I guess I have to use a table and specify order each time.. yuk..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.
In the end, I fixed it differently (going to share how for the next person). Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report! It's probably a better way anyway.
Once the report was scheduled, I leverage it using
loadjob savedseach="user:app:reportname"
This preserves column order!!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
Enterprise Security Content Update (ESCU) | New Releases
