Getting Data In

How to export to csv the search results which used base search?

pinksqtuason
Explorer

I have a dashboard that used base searches which disabled the export button at the bottom of my panels. Is there a simple way I could use to export the results in each panels to csv?

Thanks

Tags (2)

chrabi
Loves-to-Learn Lots

Maybe for someone will be useful:[ How export to csv only 2 rows from base query]

#Workaround Export with Base Search, Post Processing.
1. IN Your dashboard xml
<search id="BASE_SEARCH_EXAMPLE">
<query>
index=_internal  sourcetype=* | fields *
</query>

2. Post Procesing query stats base on base search, show only 2 rows.
<Base Search> | stats count by source | head 2

<table>
<title>Post Processing table with 2 rows for export</title>
<search base="BASE_SEARCH_EXAMPLE">
<done>
<set token="start_query_inputlookup">| inputlookup FileForExport.csv</set>
</done>
<query>| stats count by source
| head 2
| outputlookup FileForExport.csv</query>
</search>
<option name="drilldown">none</option>
</table>

3. Hide table with query "| inputlookup FileForExport.csv" and job.sid required for export token $job_exportTocsv$.

<panel depends="$nevershow$">
<table>
<title>Hide table with import query, job.sid required for export.</title>
<search>
<done>
<set token="job_exportTocsv">$job.sid$</set>
</done>
<query>$start_query_inputlookup$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<refreshType>delay</refreshType>
</search>
</table>
</panel>

4. Button or link required for download csv file, paste someware in dashboard.
<table>
</table>
<html>

<a target="_blank" class="btn" href="/api/search/jobs/$job_exportTocsv$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=FileForExportDetails.csv&amp;outputMode=csv" role="button">Export_Data_csv</a>

</html>
</panel>

0 Karma

fsolercasanova
Explorer

Using base searches in splunk dashboards breaks the export button feature for the panels.

There are a few workarounds available depending on what your needs are. However none of them will fix the export button on the dashboard.

1) You can use the dump command to output all your search results including the events. This WONT be in CSV

2) @sudosplunk mentioned the outputlookup method; this will write every time the dashboard search is run.

3) You can open the panel in a search and export from there. If you/ the user has the proper permissions this would be the closest to actually exporting from the panel

sudosplunk
Motivator

Have a look at outputlookup command to export results. For CSV lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. Append |outputlookup file_name.csv to your search. HTH!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...