Solved: Re: Define field order on export

CerielTjuh · ‎05-05-2010

Hi there,

I have a saved search that I want to run every day at noon, I am sending the results trough mail and want to analyse them, but the fields order isn't logic.

host="fw.azl.local" type="event" subtype="admin" pri="notice" seq!="" | fields - _* | fields date, time, ui, user, msg, devname, sintf, dintf, saddr, daddr, svr, act

My results are in a different order then the one i am searching for (date, time, etc..) How can i make sure i have the same order in my mail as the search string ?

Thnx !

kbecker · ‎06-17-2010

I was told by support that the field order difference between the the web GUI and saved searches is a bug and should be resolved in 4.1.4.

View solution in original post

southeringtonp · ‎08-16-2010

The email functionality is driven by a script called 'sendemail.py' in the search app. If you're brave, you can do this: - copy sendemail.py to sendemail-custom.py - make any changes you like in that script - add this to apps/search/local/commands.conf: [sendemail] filename = sendemail-custom.py

Your custom version can do whatever you want it to, but the drawback is you now have to maintain it if Splunk makes changes to the original (for example, the addition of PDF emails in Splunk 4.1)

I use a modified version of the script that adds CSS formatting to the email and re-orders the fields if it sees a 'fields' command in the search string.

View solution in original post

southeringtonp · ‎08-16-2010

The email functionality is driven by a script called 'sendemail.py' in the search app. If you're brave, you can do this: - copy sendemail.py to sendemail-custom.py - make any changes you like in that script - add this to apps/search/local/commands.conf: [sendemail] filename = sendemail-custom.py

Your custom version can do whatever you want it to, but the drawback is you now have to maintain it if Splunk makes changes to the original (for example, the addition of PDF emails in Splunk 4.1)

I use a modified version of the script that adds CSS formatting to the email and re-orders the fields if it sees a 'fields' command in the search string.

kbecker · ‎06-17-2010

I was told by support that the field order difference between the the web GUI and saved searches is a bug and should be resolved in 4.1.4.

CerielTjuh · ‎06-18-2010

Thnx guys, I will wait for the new release 🙂

gkanapathy · ‎06-17-2010

The script that sends emails out specifically re-orders fields by length of content (field with longest value first). I have modified the script to remove this logic, but yes it would be nice if that is being done permanently.

bfaber · ‎05-06-2010

What version of Splunk is this? I think that the ordering was an issue prior to 4.0...

bfaber · ‎05-07-2010

That may be a bug -- I'd send it to support@splunk.com...

CerielTjuh · ‎05-07-2010

Latest version, 4.1.2, I found out yesterday that if i create a new dashboard with the search, the order is fine, only when i create a saved search and let Splunk e-mail me the results it is messed up.

Define field order on export

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation