How to configure Splunk to not put CSV columns in ...

splunk6161 · ‎06-29-2017

When I import the csv file (before indexing), Splunk puts the columns in alphabetical order.
I would keep the sort as in the csv file.
thanks

woodcock · ‎06-29-2017

Splunk does not change anything upon indexing. What you are seeing is the fact that Splunk automatically sorts fields alphabetically if you do something like | table * so instead, list out the fields in the order that you like with | table field1 field2 field3 fieldz.

splunk6161 · ‎06-30-2017

ok but its possible to see columns NOT in alphabetical order before indexing?

woodcock · ‎06-30-2017

Splunk indexes the files EXACTLY AS THEY ARE. It does not resort columns. So sort them in the order you like before Splunk gets a look at them.

sbbadri · ‎06-29-2017

Hello,

you can do the following,

$SPLUNK_HOME/etc/apps//local/transforms.conf

[extract_csv]
filename = extract.csv
index_fields_list = field1, field2 ....

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I