Hi @ all,
I'm using this search:
sourcetype=wineventlog:system (EventCode=20001) | table _time, EventCode, ComputerName, Message | sort _time desc
If invoked in the Splunk GUI, the table has the fields/columns in the order which is defined within the search using the
But if the search is invoked within the Windows cmd.exe or Powershell, the order of the fields is:
EventCode, _time, Message, ComputerName
I've found a similar question here (https://answers.splunk.com/answers/204709/fields-order-when-using-splunk-search-in-command-l.html ), which tells us to use
fields field1, field2, .... However, by using the
fields, command I can't output my results as CSV. I also tried to rename the fields, but still no luck and the order remains the same.
Any idea how I can explicitly define the order of my columns within a table using a CLI search?
thanks in advance
| fields keepcolorder=t.
Show us the command and error when using
outputcsv; it should work fine.
Thank you @woodcock for answering.
By doing the searches again I found out the following:
It works, but its not working as it supposed to be.
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields _time, EventCode, ComputerName" -maxout 2 -output csv
and the output is:
its in fact csv but not the fields I want.
I also figured out that using Message is not good for csv because it has many linefeeds.
It works fine if and only if I run the search with the table command like this:
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields _time, EventCode, ComputerName" -maxout 2 -output csv
but again the order is different to what i defined. The order is:
EventCode, _time, ComputerName
Is there maybe a default value for the order, when using Web Search that doesn't affect the CLI search? Have you tried
.\splunk.exe "sourcetype=wineventlog:system EventCode=20001 | fields + _time, EventCode, ComputerName" -maxout 2 -output csv (added a
I discovered that as soon as you add
-output csv the order of the fields are changed.
Thank your very much @Sebastian2 the added
+ does the trick!
But only if it is used the following way:
.\splunk.exe "sourctype="wineventlog:system EventCode=20001 | table _time, EventCode, ComputerName | fields + _time, EventCode, ComputerName" -maxout 2
Great! Maybe you should consider a bug-report with detailed information for the Splunk Team; I'm sure that doesn't work as intended