The doc for the /jobs/export mentions the 'rf' parameter (v5.0.2). However, it is ignored by the REST endpoint. E.g. for this URL: https://example.com/services/search/jobs/export?search=search+*+index%3D%22somename%22++%7C+head+50&...
I expect it to return an event_code field, but it just dumps raw set of meta fields (host, time, _raw, etc.). NONE of the actual extracted fields which work great in the UI.
How can I set up the CSV export to contain only the fields I want?
I think I made progress. The API is very very picky as to the order of piped commands...
After many many permutations this got me somewhere:
search * | head 10 | table _time,mycolumn1,event_code,from_ip,from_port
The CSV output is still not honoring the field order (I did try to pipe it to the 'fields' command, which didn't affect CSV output still). So, _time column is somewhere in the middle of the output, and not the first one. I'll try reformatting it, maybe it will agree to behave better when treated as a custom field 🙂
Another issue is the string values for columns are wrapped in double quotes, which seems really redundant when there's no need for that at all (e.g. simple values).
I think I made progress. The API is very very picky as to the order of piped commands...
After many many permutations this got me somewhere:
search * | head 10 | table _time,mycolumn1,event_code,from_ip,from_port
The CSV output is still not honoring the field order (I did try to pipe it to the 'fields' command, which didn't affect CSV output still). So, _time column is somewhere in the middle of the output, and not the first one. I'll try reformatting it, maybe it will agree to behave better when treated as a custom field 🙂
Another issue is the string values for columns are wrapped in double quotes, which seems really redundant when there's no need for that at all (e.g. simple values).