Why does Email Report change column order?

njones781 · ‎06-02-2020

_Time is the column that gets moved from last to first only within the reports csv. Within the Inline results, the search, and a direct csv from the search keeps the columns in the correct order. How can I correct for this current and future reports?

wyfwa4 · ‎09-11-2020

It appears that Splunk detects the "_time" fields and makes a decision that this should be first - I assume as _time is the only true law in the universe. So if you rename the field to a custom name like "timefield" - is it no longer considered a special case and will now follow the order specified by the fields or table command.

Another consideration is that when a field is called "_time" and contains an epoch time value - Splunk will automatically convert it to a readable format. However when you rename to something else, Splunk will just show the epoch value. So you also need to add a eval with strftime to convert the value to your preferred readable time.

richgalloway · ‎06-02-2020

Use a table command to specify the order in which to display fields.

---
If this reply helps you, Karma would be appreciated.

njones781 · ‎06-02-2020

|table DeptName App Region Tran USERID EmpName ACF2Name _time

Adding in this additional line did not have an impact on the Report csv column order.

richgalloway · ‎06-03-2020

You may need to submit a support request.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎06-02-2020

Are you using a table command to set the field order?

---
If this reply helps you, Karma would be appreciated.

njones781 · ‎06-02-2020

I was not, my order was being derived from:

|stats count as #Trans by DeptName App Region Tran USERID EmpName ACF2Name _time

Why does Email Report change column order?

CSV

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!