Hi,

if you are getting epoch time in your output csv you can convert the _time like this,

| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

So your search would be like this,

sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn]  | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | table time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename]

Accept this answer if its solves your query.

Cheerrs!

Hi,

Thanks for the prompted reply! Vasanthmss!

SQL used.
sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn] | table _time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename]

However, do you have any idea why the CSV generated via outputcsv is in a different format as
export to csv (via Web interface) :

I found _time column display as as 1417622399.196 in above script
however, it display correctly if manual export to csv from the browser!

Hi Henry,

try this,

sourcetype=x,as_log ID | table _time ID mcn begin_action Desc _raw | outputcsv [ | stats count | eval filename=strftime(now(), "%Y%m") | return $filename]

The above query will help you to get the today's date. your can change the sub search based on your requirement like instead of now() you can use any date param.

Cheersss!

Have you tried using the Splunk CLI interface?

Have a look at the CLI documentation: http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CLIsearchsyntax you might easily combine it with some scripting (PowerShell, Bash, etc) to produce what you need.

Cheers,