Hi, I have an issue with map command. The query is:
index=myindex field=value |stats count by host| map maxsearches=100 search="search index=myindex host=$host$|outputtext usexml=false |fields raw| fields - _time, xml| outputcsv $host$.[search | head 1 | eval start=strftime(relative_time(now(), "-7d@d"), "%d_%m_%Y")| eval end=strftime(relative_time(now(), "-1d@d"), "%d_%m_%Y")|eval query="from".start."_to_".end.".txt"| fields query| format "" "" "" "" "" ""]"
but is does not return results. Any hint? Thank you
You can easily export all the raw data in the index myindex
by running this from the CLI:
$SPLUNK_HOME/bin/splunk export eventdata -index myindex -dir /some/dir/
I see. In that case, give this a shot in the web UI:
index=myindex | eval _dstpath = host | dump basefilename=myexport
That'll create one directory per host under $SPLUNK_HOME/var/run/splunk/dispatch/sid/dump and dump the raw events for that host there.
Thank you, but I need a different file for each host in the index (the parameter in map command)
What are you trying to achieve?
I'm trying to have a file with all the raw data in the index "myindex"