Splunk Search

Export results of timechart into CSV or other format

myudkowsky
Communicator

I've created a search that counts each value of "nlist" in a particular timeframe:

nodelist | rex field=_raw "nodelist \"\"(?<nlist>[0-9 ]*)" |fields + nlist | timechart count(nlist) BY nlist

This produces exactly the table I need. When I attempt to export these results into a CSV, JSON, or XML file -- using the drop-down "Actions"->"Export results..." I do get a file downloaded to my local machine; but that file contains only the _time field.

What I believe is happening here is that even though I'm in table view and can see count(nlist) BY nlist, the export happens on the eventlist (and doesn't even include the nlist even though I've included it explicitly by use of "fields").

  1. Can "export results" be used to export this kind of information, namely counts and values?
  2. If so, what am I doing wrong?

NOTE: I do not have access to the Splunk server, so "exportcsv" is not an option for me. I can only use Actions->Export Results to get data off the server.

Tags (2)
0 Karma

bmacias84
Champion

It looks like you just want to counts over a time span by nlist . To accomplish this use the bucket command.


mysearch | bucket _time span=5m | nodelist | rex field=_raw "nodelist \"\"(?[0-9 ]*)" |fields + nlist | stats count(nlist) as list_count by _time, nlist

Change span to interval you want counts for. This should fix your export problem. Hope this helps or give you an idea.

0 Karma

myudkowsky
Communicator

Hi, thanks for the idea, I will give it a try and come back and let you know.

0 Karma

Neeraj_Luthra
Splunk Employee
Splunk Employee

The app also works on 4.x. Is it possible for you to upgrade to 4.x?

0 Karma

myudkowsky
Communicator

Thanks for the idea for alternative access. Unfortunately, as noted above, I don't have access to the internals of the Splunk server, and we're on Splunk 3.x while this solution is shown as 5.x.

0 Karma

Neeraj_Luthra
Splunk Employee
Splunk Employee

If you have PowerPivot installed in Excel, you can also try the OData app (http://splunk-base.splunk.com/apps/58162/odata-for-splunk) to pull Saved Search data from Splunk into Excel.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...