Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does Email Report change column order?

njones781
Loves-to-Learn
‎06-02-2020 08:21 AM

_Time is the column that gets moved from last to first only within the reports csv. Within the Inline results, the search, and a direct csv from the search keeps the columns in the correct order. How can I correct for this current and future reports?

Labels (1)
Labels
0 Karma
Reply

wyfwa4
Communicator
‎09-11-2020 04:38 AM

It appears that Splunk detects the "_time" fields and makes a decision that this should be first - I assume as _time is the only true law in the universe. So if you rename the field to a custom name like "timefield" - is it no longer considered a special case and will now follow the order specified by the fields or table command.

Another consideration is that when a field is called "_time" and contains an epoch time value - Splunk will automatically convert it to a readable format. However when you rename to something else, Splunk will just show the epoch value. So you also need to add a eval with strftime to convert the value to your preferred readable time.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:18 AM

Use a table command to specify the order in which to display fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 11:13 AM

|table DeptName App Region Tran USERID EmpName ACF2Name _time

Adding in this additional line did not have an impact on the Report csv column order.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:38 AM

You may need to submit a support request.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:06 AM

Are you using a table command to set the field order?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 10:12 AM

I was not, my order was being derived from:

|stats count as #Trans by DeptName App Region Tran USERID EmpName ACF2Name _time

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...