I have a command on splunk server i.e..
" /splunk search ' .. | stats dc(f_name)' -uri "
I have save the result of this in a file, can I do it?
Yes, you can either use the outputlookup or the outputcsv commands.
There are other alternatives too, but those are the ones you can run from the search gui.
try like :
" ./splunk search ' .. | stats dc(f_name) | outputcsv file_name' -uri "
The file_name.csv file should be located in $SPLUNK_HOME/var/run/splunk. Directory.
this search is for "Splunk link".
But I need to do in the server itself, by using SPLUNK command?
Yes, you can either use the outputlookup or the outputcsv commands.
There are other alternatives too, but those are the ones you can run from the search gui.
Hi, did this work for you?
Hi, I'm a bit confused about your comments.
In summary, if you want to run your command and save the results to disk from the Splunk server:
./splunk search 'yoursearch | stats dc(f_name)' > yourfilename.txt
If you want to run it from the Splunk GUI:
yoursearch | stats dc(f_name) | outputcsv yourfilename.csv
If none of those two work for you please provide more information.
Thanks,
J
Both are working fine .
Thanks for the help.
Kind Grass,
Gaurav Pant
@javiergn .
by the above query I will get the distinct count of field., but with this I also want the current date. Can this be done with this query only?
Ex:- RESULT should be:
dc(f_name) date
100 10th JAN, 2016
can you please help me in this?
Sure, something like this should do the trick:
yoursearch
| timechart span=1d dc(f_name)
If you want to group by week, month, etc simply play with the span values