Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why would a command via CLI that exports to a CSV re-order the columns? Looks like the columns get re-ordered alphanumerically.

kuja
Splunk Employee
Splunk Employee
‎10-13-2015 02:34 PM

Splunk Web search ran:

sourcetype=vmstat |head 10| table _time source sourcetype mem_free

OUTPUT is as listed above in that order

Splunk CLI command ran:

root@<machine_name>:/opt/splunk/bin# ./splunk search "sourcetype=vmstat |head 10| table _time source sourcetype mem_free" -maxout 20 -output csv "_time", source, sourcetype, mem_free > test.csv

The order that it shows in the output is alphabetical rather than in the order requested like the UI delivers. Is this expected behavior?

Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-22-2016 06:17 PM

i think, the table command changes the output file format.
the -output csv (or table) does not affect the final file format.

please try - 

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table _time source host sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test2.csv

INFO: Your timerange was substituted based on your search string

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table source host _time sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test3.csv

INFO: Your timerange was substituted based on your search string

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

gwiner
New Member
‎09-22-2016 04:55 PM

Mine isn't even alphabetical. The column that should be first is actually last.

0 Karma
Reply

carlostapia01
New Member
‎03-14-2016 07:36 PM

I'm dealing with same issue. Does anyone has solved this nice behaviour?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...