I've created a search that counts each value of "nlist" in a particular timeframe:
nodelist | rex field=_raw "nodelist \"\"(?<nlist>[0-9 ]*)" |fields + nlist | timechart count(nlist) BY nlist
This produces exactly the table I need. When I attempt to export these results into a CSV, JSON, or XML file -- using the drop-down "Actions"->"Export results..." I do get a file downloaded to my local machine; but that file contains only the _time field.
What I believe is happening here is that even though I'm in table view and can see count(nlist) BY nlist, the export happens on the eventlist (and doesn't even include the nlist even though I've included it explicitly by use of "fields").
NOTE: I do not have access to the Splunk server, so "exportcsv" is not an option for me. I can only use Actions->Export Results to get data off the server.
It looks like you just want to counts over a time span by nlist . To accomplish this use the bucket command.
mysearch | bucket _time span=5m | nodelist | rex field=_raw "nodelist \"\"(?[0-9 ]*)" |fields + nlist | stats count(nlist) as list_count by _time, nlist
Change span to interval you want counts for. This should fix your export problem. Hope this helps or give you an idea.
Hi, thanks for the idea, I will give it a try and come back and let you know.
The app also works on 4.x. Is it possible for you to upgrade to 4.x?
Thanks for the idea for alternative access. Unfortunately, as noted above, I don't have access to the internals of the Splunk server, and we're on Splunk 3.x while this solution is shown as 5.x.
If you have PowerPivot installed in Excel, you can also try the OData app (http://splunk-base.splunk.com/apps/58162/odata-for-splunk) to pull Saved Search data from Splunk into Excel.