Thank you for the answer!
For me, your approach works, but isn't particularly scalable. I have ~ 50 queries that change frequently, and maintaining the column list in two points in the query is a bit fragile. The subsearch is also unbounded in time, so can be expensive on large indexes.
My current solution is to detect if no data was returned, then submit the query to the parsing endpoint, and extracting the fields from the reportsSearch key. It's also fairly fragile (it depends on the last command being a table ), but it avoids the penalty of resubmitting the search.
Ideally Splunk would adjust things so that an output_mode=csv would return the headers always, or at least expose an option for it.
... View more