Hi @ all,
I'm using this search:
sourcetype=wineventlog:system (EventCode=20001) | table _time, EventCode, ComputerName, Message | sort _time desc
If invoked in the Splunk GUI, the table has the fields/columns in the order which is defined within the search using the table
command.
But if the search is invoked within the Windows cmd.exe or Powershell, the order of the fields is:
EventCode, _time, Message, ComputerName
I've found a similar question here (https://answers.splunk.com/answers/204709/fields-order-when-using-splunk-search-in-command-l.html ), which tells us to use fields field1, field2, ...
. However, by using the fields
, command I can't output my results as CSV. I also tried to rename the fields, but still no luck and the order remains the same.
Any idea how I can explicitly define the order of my columns within a table using a CLI search?
thanks in advance
-ciir
Try | fields keepcolorder=t
.
Show us the command and error when using fields
with outputcsv
; it should work fine.
Thank you @woodcock for answering.
By doing the searches again I found out the following:
It works, but its not working as it supposed to be.
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields _time, EventCode, ComputerName" -maxout 2 -output csv
and the output is:
"_serial","_time","_raw"
...data...
its in fact csv but not the fields I want.
I also figured out that using Message is not good for csv because it has many linefeeds.
It works fine if and only if I run the search with the table command like this:
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields _time, EventCode, ComputerName" -maxout 2 -output csv
but again the order is different to what i defined. The order is: EventCode, _time, ComputerName
Is there maybe a default value for the order, when using Web Search that doesn't affect the CLI search? Have you tried .\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields + _time, EventCode, ComputerName" -maxout 2 -output csv
(added a +
between fields
and _time
)
I discovered that as soon as you add -output csv
the order of the fields are changed.
Thank your very much @Sebastian2 the added +
does the trick!
But only if it is used the following way:
.\splunk.exe "sourctype="wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields + _time, EventCode, ComputerName" -maxout 2
Great! Maybe you should consider a bug-report with detailed information for the Splunk Team; I'm sure that doesn't work as intended