Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does Email Report change column order?

njones781
Loves-to-Learn
‎06-02-2020 08:21 AM

_Time is the column that gets moved from last to first only within the reports csv. Within the Inline results, the search, and a direct csv from the search keeps the columns in the correct order. How can I correct for this current and future reports?

Labels (1)
Labels
0 Karma
Reply

wyfwa4
Communicator
‎09-11-2020 04:38 AM

It appears that Splunk detects the "_time" fields and makes a decision that this should be first - I assume as _time is the only true law in the universe. So if you rename the field to a custom name like "timefield" - is it no longer considered a special case and will now follow the order specified by the fields or table command.

Another consideration is that when a field is called "_time" and contains an epoch time value - Splunk will automatically convert it to a readable format. However when you rename to something else, Splunk will just show the epoch value. So you also need to add a eval with strftime to convert the value to your preferred readable time.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:18 AM

Use a table command to specify the order in which to display fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 11:13 AM

|table DeptName App Region Tran USERID EmpName ACF2Name _time

Adding in this additional line did not have an impact on the Report csv column order.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-03-2020 05:38 AM

You may need to submit a support request.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2020 10:06 AM

Are you using a table command to set the field order?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

njones781
Loves-to-Learn
‎06-02-2020 10:12 AM

I was not, my order was being derived from:

|stats count as #Trans by DeptName App Region Tran USERID EmpName ACF2Name _time

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...