Splunk Enterprise

Why does csv sent via sendmail change column order?

nicofantinato
Path Finder

Hello to everyone,

my issue is that when I use sendemail in a scheduled search to send results via email in csv format, columns in the csv are not in the same order I tabled them in the search. For example:

<some_search>
| table field1 field2 field3
| outputcsv TestInvioMail_searchOutput.csv
| stats values(recipient) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
message=\"Some message\""
| append [|inputcsv TestInvioMail_searchOutput.csv]

I need to use also map command because I have to send different results to different recipients, since inserting recipient token in the Splunk's mail alert panel doesn't work. Sendemail works fine, every recipient receives the correct results, but they receive a csv in which fields are in a different order respect to the one specified in table command (for example in the csv column order is fieldfield3 field1).

I also tried to add width_sort_columns=<bool> parameter in sendemail command (after sendcsv=true) but without success.

Do you have any suggestion?

Thanks in advance.

Labels (1)
0 Karma

Frontman82
Loves-to-Learn

Did yoy manage to get a solution?

thank you.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

how about add additional table f1 f2 f3 after |inputlookup command?

....
| append 
    [| inputcsv TestInvioMail_searchOutput.csv 
    | table field1 field2 field3]

r. Ismo 

0 Karma

Frontman82
Loves-to-Learn

hi,

I'm using it a bit differntly

search...
| table field1 field2 field3
| sendresults..



sometimes the fileds are in the correct order, sometimes randomly mixed.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
You are including those lines on last append. Your previous table didn't work on that level. For that reason you must add it also on that subsearch which is separate process.
0 Karma

Frontman82
Loves-to-Learn

sorry but it's not working or not getting it.

my search is simple

index=x | table field1 field2 field3 |sendresults

and columns are mixing

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should use </> block when you are including code, samples etc. to ensure that your question is correctly formatted!

<some_search> 
| table field1 field2 field3 
| outputcsv TestInvioMail_searchOutput.csv 
| stats values(recipient) AS emailToHeader 
| mvexpand emailToHeader 
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
    message=\"Some message\"" 
| append 
    [| inputcsv TestInvioMail_searchOutput.csv]

I suppose that above was what you have written? 

There is couple of questions.

  • You have exported to csv file fields: field1 field2 field3
    • When you are using it you are searching field named recipient not fieldX!
    • Could you told what are correct field names?
  • Why you have the last append?

If you want that ensure that columns are in correct order please try to change  

.....
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| table <fields as you want>
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
    message=\"Some message\"" 

 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...