How to configure Splunk to not put CSV columns in ...

splunk6161 · ‎06-29-2017

When I import the csv file (before indexing), Splunk puts the columns in alphabetical order.
I would keep the sort as in the csv file.
thanks

woodcock · ‎06-29-2017

Splunk does not change anything upon indexing. What you are seeing is the fact that Splunk automatically sorts fields alphabetically if you do something like | table * so instead, list out the fields in the order that you like with | table field1 field2 field3 fieldz.

splunk6161 · ‎06-30-2017

ok but its possible to see columns NOT in alphabetical order before indexing?

woodcock · ‎06-30-2017

Splunk indexes the files EXACTLY AS THEY ARE. It does not resort columns. So sort them in the order you like before Splunk gets a look at them.

sbbadri · ‎06-29-2017

Hello,

you can do the following,

$SPLUNK_HOME/etc/apps//local/transforms.conf

[extract_csv]
filename = extract.csv
index_fields_list = field1, field2 ....

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

How to configure Splunk to not put CSV columns in alphabetical order before indexing?

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases