Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why would a command via CLI that exports to a CSV re-order the columns? Looks like the columns get re-ordered alphanumerically.

kuja
Splunk Employee
Splunk Employee
‎10-13-2015 02:34 PM

Splunk Web search ran:

sourcetype=vmstat |head 10| table _time source sourcetype mem_free

OUTPUT is as listed above in that order

Splunk CLI command ran:

root@<machine_name>:/opt/splunk/bin# ./splunk search "sourcetype=vmstat |head 10| table _time source sourcetype mem_free" -maxout 20 -output csv "_time", source, sourcetype, mem_free > test.csv

The order that it shows in the output is alphabetical rather than in the order requested like the UI delivers. Is this expected behavior?

Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-22-2016 06:17 PM

i think, the table command changes the output file format.
the -output csv (or table) does not affect the final file format.

please try - 

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table _time source host sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test2.csv

INFO: Your timerange was substituted based on your search string

splunk@machine:~/bin> ./splunk search "index=os_nix sourcetype=vmstat earliest=-5m@m latest=now |head 10| table source host _time sourcetype mem_free" -maxout 20 -output table _time, sourcetype, host, source, mem_free > test3.csv

INFO: Your timerange was substituted based on your search string

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

gwiner
New Member
‎09-22-2016 04:55 PM

Mine isn't even alphabetical. The column that should be first is actually last.

0 Karma
Reply

carlostapia01
New Member
‎03-14-2016 07:36 PM

I'm dealing with same issue. Does anyone has solved this nice behaviour?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...