Re: Move _time to the last column in the attached ...

rayar · ‎03-31-2020

How I can move _time column to be the last on the an attached csv file in the email send by scheduled report

the query returns the _time as the last column but in the attached mail it's set as a fist column

the query

.
.
.
| table USER_ID duser FIRST_NAME LAST_NAME Duration cn1 _time
| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| outputcsv vpn_data.csv

anmolpatel · ‎03-31-2020

@rayar as per the doc for output command, it adds the _time field to the front.
https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv#Internal_fields_a...

if you want to have the strict order, here is a workaround:

| rename cn1 as "Duration (sec)", FIRST_NAME as "First Name", LAST_NAME as "Last Name"
| search "First Name"="" AND "Last Name"=""
| eval time = strftime(_time, "%Y-%d-%m %H:%M:%S")
| fields USER_ID duser "First Name" "Last Name" Duration "Duration (sec)" time
| outputcsv vpn_data.csv

Move _time to the last column in the attached mail

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

Move _time to the last column in the attached mail

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA