Why does csv sent via sendmail change column order...

nicofantinato · ‎11-18-2021

Hello to everyone,

my issue is that when I use sendemail in a scheduled search to send results via email in csv format, columns in the csv are not in the same order I tabled them in the search. For example:

<some_search>
| table field1 field2 field3
| outputcsv TestInvioMail_searchOutput.csv
| stats values(recipient) AS emailToHeader | mvexpand emailToHeader
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
message=\"Some message\""
| append [|inputcsv TestInvioMail_searchOutput.csv]

I need to use also map command because I have to send different results to different recipients, since inserting recipient token in the Splunk's mail alert panel doesn't work. Sendemail works fine, every recipient receives the correct results, but they receive a csv in which fields are in a different order respect to the one specified in table command (for example in the csv column order is field2 field3 field1).

I also tried to add width_sort_columns=<bool> parameter in sendemail command (after sendcsv=true) but without success.

Do you have any suggestion?

Thanks in advance.

Frontman82 · ‎06-07-2023

Did yoy manage to get a solution?

thank you.

isoutamo · ‎06-07-2023

Hi

how about add additional table f1 f2 f3 after |inputlookup command?

....
| append 
    [| inputcsv TestInvioMail_searchOutput.csv 
    | table field1 field2 field3]

r. Ismo

Frontman82 · ‎06-07-2023

hi,

I'm using it a bit differntly

search...
| table field1 field2 field3
| sendresults..

sometimes the fileds are in the correct order, sometimes randomly mixed.

isoutamo · ‎06-07-2023

You are including those lines on last append. Your previous table didn't work on that level. For that reason you must add it also on that subsearch which is separate process.

Frontman82 · ‎06-07-2023

sorry but it's not working or not getting it.

my search is simple

index=x | table field1 field2 field3 |sendresults

and columns are mixing

isoutamo · ‎06-07-2023

You should use </> block when you are including code, samples etc. to ensure that your question is correctly formatted!

<some_search> 
| table field1 field2 field3 
| outputcsv TestInvioMail_searchOutput.csv 
| stats values(recipient) AS emailToHeader 
| mvexpand emailToHeader 
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
    message=\"Some message\"" 
| append 
    [| inputcsv TestInvioMail_searchOutput.csv]

I suppose that above was what you have written?

There is couple of questions.

You have exported to csv file fields: field1 field2 field3
- When you are using it you are searching field named recipient not fieldX!
- Could you told what are correct field names?
Why you have the last append?

If you want that ensure that columns are in correct order please try to change

.....
| map search="|inputcsv TestInvioMail_searchOutput.csv | where recipient=$emailToHeader$
| table <fields as you want>
| sendemail
sendresults=true sendcsv=true
server=<my_email_server_address>
from=<sender_server_address>
to=$emailToHeader$
subject=\"Some object\"
    message=\"Some message\""

Why does csv sent via sendmail change column order?

troubleshooting

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life