Splunk Search

How do I limit the "export results" action to export only the fields that were presented to the client using FieldPicker module with StrictMode param set to "True"?

Alan_Bradley
Path Finder

Is it possible to limit the "export results" action to export only the fields that were presented to the client using FieldPicker module with StrictMode param set to "True"?

Tags (3)

mendesjo
Path Finder

same issue as above, any solution?

bsm1970
Engager

I want to piggy back on this. I don't see an answer yet so I wanted to bring it back up. I run a search that only shows me the 5 fields I want, but I can find now way when I go to Actions --> Export Results... to get it to only export the 5 selected fields to the CSV file. I get at least a dozen additional fields I have to delete out to get my final output the way I want it.

dskillman
Splunk Employee
Splunk Employee

You need to use the | fields command. You will also have to specifically take out the raw data and time if you want.

* | fields host, clientip | fields - _raw, _time

This will only export the host and clientip fields.

bradparks
Explorer

I downvoted this post because this doesnt answer the question - piping to "fields" works only in the search, not in the exported results

0 Karma

zliu
Splunk Employee
Splunk Employee

"| fields" limits the search results to
only the required fields, while FiledPicker controls what subset of the
fields returned by the search is presented in the GUI.
The customer definitely needs the latter - she tries to allow the end
users to have control over what fields are presented, but at the same
time export only the selected fields and not the whole lot.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...