Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does Email Report change column order?

njones781
Loves-to-Learn
‎06-02-2020 08:21 AM

_Time is the column that gets moved from last to first only within the reports csv. Within the Inline results, the search, and a direct csv from the search keeps the columns in the correct order. How can I correct for this current and future reports?

Labels (1)
Labels
0 Karma
Reply

wyfwa4
Communicator
‎09-11-2020 04:38 AM

It appears that Splunk detects the "_time" fields and makes a decision that this should be first - I assume as _time is the only true law in the universe. So if you rename the field to a custom name like "timefield" - is it no longer considered a special case and will now follow the order specified by the fields or table command.

Another consideration is that when a field is called "_time" and contains an epoch time value - Splunk will automatically convert it to a readable format. However when you rename to something else, Splunk will just show the epoch value. So you also need to add a eval with strftime to convert the value to your preferred readable time.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:18 AM

Use a table command to specify the order in which to display fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 11:13 AM

|table DeptName App Region Tran USERID EmpName ACF2Name _time

Adding in this additional line did not have an impact on the Report csv column order.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:38 AM

You may need to submit a support request.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:06 AM

Are you using a table command to set the field order?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 10:12 AM

I was not, my order was being derived from:

|stats count as #Trans by DeptName App Region Tran USERID EmpName ACF2Name _time

0 Karma
Reply
Get Updates on the Splunk Community!

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...

Data Management Digest – January 2026

Welcome to the January 2026 edition of Data Management Digest! Welcome to the January 2026 edition of Data ...

Splunk SOAR Now Available on Google Cloud Platform

We’re excited to announce that Splunk SOAR is now natively available as a SaaS solution on Google Cloud ...