for example, something what is easy to reproduce everywhere:
index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | stats sum(kb) AS KB_per_hour by source
the result is something like this:
1 /opt/splunk/var/log/splunk/metrics.log 124329.388671
2 /opt/splunkforwarder/var/log/splunk/metrics.log 146905.555654
but the CSV file contains:
source
"/opt/splunkforwarder/var/log/splunk/metrics.log"
"/opt/splunkforwarder/var/log/splunk/metrics.log"
The main problem is, IMO, the relation to stats command because Splunk can export plain numeric fields in the correct way.
index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | head 3 | table series, kbps.:
CSV file:
series,kbps
ps,"0.519392"
mysqlproc,"0.036884"
cpu,"0.007427"
looks OK.
... View more