Getting Data In

Outputlookup creating csv with columns that are alphabetical?

maxsteel
Explorer

I have a search that gathers a bunch of data from various sources and appends to 1 big stats that I have reporting in a customized column order.
After I weed out some things I don't like, it looks perfect in search, so I appended a:
| outputlookup file.csv
to the very bottom so it'd write to a reusable csv.

When I look at the dataset/csv it is rearranging my columns into an alphabetical order (caps first).

Is there any way to keep my order in the csv so when I reference it later in an inputlookup I don't need to manually reorder it everytime?

 

Labels (1)
0 Karma
1 Solution

maxsteel
Explorer

So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.

In the end, I fixed it differently (going to share how for the next person).  Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report!  It's probably a better way anyway.

Once the report was scheduled, I leverage it using 

loadjob savedseach="user:app:reportname" 

This preserves column order!!

 

 

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Do you have a table command in the query?  That's a sure way to set the order in which fields appear.

Why do you have to reorder fields following inputlookup?  Splunk doesn't care what the order is.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maxsteel
Explorer

I leveraged stats to create the output in a specific order, not table.

It appears that the outputlookup is rearranging my reusable csv alphabetically and then when I call it later it's showing this new alphabetical order.

I'd rather it be in the same order as my stats so that I don't have to reorder every time I call the csv.

(you are right that splunk doesn't care about order, but I do 🙂 )

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try putting a table command before outputlookup to enforce the field order.  Not sure if it will help, but it might.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maxsteel
Explorer

I was hoping to not have to create a table for each, hence the original question.  

That being said, if splunk likes to alphabetize outputlookup tables, then I guess I have to use a table and specify order each time.. yuk..

 

0 Karma

maxsteel
Explorer

So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.

In the end, I fixed it differently (going to share how for the next person).  Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report!  It's probably a better way anyway.

Once the report was scheduled, I leverage it using 

loadjob savedseach="user:app:reportname" 

This preserves column order!!

 

 

 

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...