I have a work around... i've seen this before and the conclusion is the API doesnt export the null values. This is the work around:
search index=indexname | sort - _time | rename _time AS time | convert ctime(time) | eval fielda=if(isnull(fielda),",",fielda) | eval fieldb=if(isnull(fieldb),",",fieldb) | eval fieldc=if(isnull(fieldc),",",fieldc) | eval fieldd=if(isnull(fieldd),",",fieldd) | eval fielde=if(isnull(fielde),",",fielde) | table fielda fieldb fieldc fieldd fielde
What it will do is replace null values with commas and then the API is forced to export in correct csv format.
curl -k -u https://url -d search="search index= sourcetype= earliest=-30d latest=now | fillnull value=null | sort -_time | rename _time AS time | convert ctime(time) | table field1,field2,field3,field4,field5,field5" -d output_mode=csv -o /home/username/test.csv
I am expecting something like
OK... so since field1,field2,field3,field4 are null when you get to the pipe with fillnull, the search processor doesn't know that they exist, and therefore cannot fill them with null...
... | fillnull value=NULL field1,field2,field3,field4,field5 | ...
that should explicitly tell the fillnull processor that those fields exist and need to be set.
if you're using the preview_results endpoint with output_mode:json_rows, you should be able to set the field_list to include the fields you want. Those fields then should come back even if all the values are NULL.