Splunk Search

How to define the table column order in CLI searches

ciir
Explorer

Hi @ all,

I'm using this search:

sourcetype=wineventlog:system (EventCode=20001) | table _time, EventCode, ComputerName, Message | sort _time desc

If invoked in the Splunk GUI, the table has the fields/columns in the order which is defined within the search using the table command.

But if the search is invoked within the Windows cmd.exe or Powershell, the order of the fields is:
EventCode, _time, Message, ComputerName

I've found a similar question here (https://answers.splunk.com/answers/204709/fields-order-when-using-splunk-search-in-command-l.html ), which tells us to use fields field1, field2, .... However, by using the fields, command I can't output my results as CSV. I also tried to rename the fields, but still no luck and the order remains the same.

Any idea how I can explicitly define the order of my columns within a table using a CLI search?

thanks in advance
-ciir

0 Karma

woodcock
Esteemed Legend

Try | fields keepcolorder=t.

0 Karma

woodcock
Esteemed Legend

Show us the command and error when using fields with outputcsv; it should work fine.

0 Karma

ciir
Explorer

Thank you @woodcock for answering.

By doing the searches again I found out the following:

It works, but its not working as it supposed to be.
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields _time, EventCode, ComputerName" -maxout 2 -output csv

and the output is:

"_serial","_time","_raw"
...data...

its in fact csv but not the fields I want.
I also figured out that using Message is not good for csv because it has many linefeeds.

It works fine if and only if I run the search with the table command like this:

.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields _time, EventCode, ComputerName" -maxout 2 -output csv

but again the order is different to what i defined. The order is: EventCode, _time, ComputerName

0 Karma

Sebastian2
Path Finder

Is there maybe a default value for the order, when using Web Search that doesn't affect the CLI search? Have you tried .\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields + _time, EventCode, ComputerName" -maxout 2 -output csv (added a + between fields and _time)

0 Karma

ciir
Explorer

I discovered that as soon as you add -output csv the order of the fields are changed.

0 Karma

ciir
Explorer

Thank your very much @Sebastian2 the added + does the trick!
But only if it is used the following way:
.\splunk.exe "sourctype="wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields + _time, EventCode, ComputerName" -maxout 2

Sebastian2
Path Finder

Great! Maybe you should consider a bug-report with detailed information for the Splunk Team; I'm sure that doesn't work as intended

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...