Re: Why would a command via CLI that exports to a ...

kuja · ‎10-13-2015

Splunk Web search ran:

sourcetype=vmstat |head 10| table _time source sourcetype mem_free

OUTPUT is as listed above in that order

Splunk CLI command ran:

root@<machine_name>:/opt/splunk/bin# ./splunk search "sourcetype=vmstat |head 10| table _time source sourcetype mem_free" -maxout 20 -output csv "_time", source, sourcetype, mem_free > test.csv

The order that it shows in the output is alphabetical rather than in the order requested like the UI delivers. Is this expected behavior?

inventsekar · ‎09-22-2016

i think, the table command changes the output file format.
the -output csv (or table) does not affect the final file format.

please try -

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table _time source host sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test2.csv

INFO: Your timerange was substituted based on your search string

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table source host _time sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test3.csv

INFO: Your timerange was substituted based on your search string

gwiner · ‎09-22-2016

Mine isn't even alphabetical. The column that should be first is actually last.

carlostapia01 · ‎03-14-2016

I'm dealing with same issue. Does anyone has solved this nice behaviour?

Why would a command via CLI that exports to a CSV re-order the columns? Looks like the columns get re-ordered alphanumerically.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life