Splunk Search

How to define the table column order in CLI searches

Explorer

Hi @ all,

I'm using this search:

sourcetype=wineventlog:system (EventCode=20001) | table _time, EventCode, ComputerName, Message | sort _time desc

If invoked in the Splunk GUI, the table has the fields/columns in the order which is defined within the search using the table command.

But if the search is invoked within the Windows cmd.exe or Powershell, the order of the fields is:
EventCode, _time, Message, ComputerName

I've found a similar question here (https://answers.splunk.com/answers/204709/fields-order-when-using-splunk-search-in-command-l.html ), which tells us to use fields field1, field2, .... However, by using the fields, command I can't output my results as CSV. I also tried to rename the fields, but still no luck and the order remains the same.

Any idea how I can explicitly define the order of my columns within a table using a CLI search?

thanks in advance
-ciir

0 Karma

Esteemed Legend

Try | fields keepcolorder=t.

0 Karma

Esteemed Legend

Show us the command and error when using fields with outputcsv; it should work fine.

0 Karma

Explorer

Thank you @woodcock for answering.

By doing the searches again I found out the following:

It works, but its not working as it supposed to be.
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields _time, EventCode, ComputerName" -maxout 2 -output csv

and the output is:

"_serial","_time","_raw"
...data...

its in fact csv but not the fields I want.
I also figured out that using Message is not good for csv because it has many linefeeds.

It works fine if and only if I run the search with the table command like this:

.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields _time, EventCode, ComputerName" -maxout 2 -output csv

but again the order is different to what i defined. The order is: EventCode, _time, ComputerName

0 Karma

Path Finder

Is there maybe a default value for the order, when using Web Search that doesn't affect the CLI search? Have you tried .\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields + _time, EventCode, ComputerName" -maxout 2 -output csv (added a + between fields and _time)

0 Karma

Explorer

I discovered that as soon as you add -output csv the order of the fields are changed.

0 Karma

Explorer

Thank your very much @Sebastian2 the added + does the trick!
But only if it is used the following way:
.\splunk.exe "sourctype="wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields + _time, EventCode, ComputerName" -maxout 2

Path Finder

Great! Maybe you should consider a bug-report with detailed information for the Splunk Team; I'm sure that doesn't work as intended

0 Karma