Getting Data In

Outputlookup creating csv with columns that are alphabetical?

maxsteel
Explorer

I have a search that gathers a bunch of data from various sources and appends to 1 big stats that I have reporting in a customized column order.
After I weed out some things I don't like, it looks perfect in search, so I appended a:
| outputlookup file.csv
to the very bottom so it'd write to a reusable csv.

When I look at the dataset/csv it is rearranging my columns into an alphabetical order (caps first).

Is there any way to keep my order in the csv so when I reference it later in an inputlookup I don't need to manually reorder it everytime?

 

Labels (1)
0 Karma
1 Solution

maxsteel
Explorer

So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.

In the end, I fixed it differently (going to share how for the next person).  Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report!  It's probably a better way anyway.

Once the report was scheduled, I leverage it using 

loadjob savedseach="user:app:reportname" 

This preserves column order!!

 

 

 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Do you have a table command in the query?  That's a sure way to set the order in which fields appear.

Why do you have to reorder fields following inputlookup?  Splunk doesn't care what the order is.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maxsteel
Explorer

I leveraged stats to create the output in a specific order, not table.

It appears that the outputlookup is rearranging my reusable csv alphabetically and then when I call it later it's showing this new alphabetical order.

I'd rather it be in the same order as my stats so that I don't have to reorder every time I call the csv.

(you are right that splunk doesn't care about order, but I do 🙂 )

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try putting a table command before outputlookup to enforce the field order.  Not sure if it will help, but it might.

---
If this reply helps you, Karma would be appreciated.
0 Karma

maxsteel
Explorer

I was hoping to not have to create a table for each, hence the original question.  

That being said, if splunk likes to alphabetize outputlookup tables, then I guess I have to use a table and specify order each time.. yuk..

 

0 Karma

maxsteel
Explorer

So table "works" but it was too much to keep adding this logic as I have a few columns, and I didn't want to have to keep editing them everywhere as I add/remove them.

In the end, I fixed it differently (going to share how for the next person).  Instead of using a csv (that, once again, gets read in will alphabetize the columns (booooo!)) I leveraged a report!  It's probably a better way anyway.

Once the report was scheduled, I leverage it using 

loadjob savedseach="user:app:reportname" 

This preserves column order!!

 

 

 

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...