topic Re: Are there limits for the outputcsv command? in Getting Data In

Are there limits for the outputcsv command?

francescafilini — Mon, 01 Jun 2015 15:49:18 GMT

Hi,

i'm extracting data with the outputcsv command, but in the file there are not all the events returned by the search. I've already modified the value of maxresultrows in [restapi] stanza, are there any other limits to change?

Thank you

Re: Are there limits for the outputcsv command?

woodcock — Mon, 01 Jun 2015 16:40:10 GMT

In Splunk v5 the row/event limit on export directly from search results in flashtimeline was removed so you probably do not need to use outputcsv any more (unless you like it better). If you cannot get that to work, this blog describes another method (that I have not tried):

http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/

Re: Are there limits for the outputcsv command?

fdi01 — Mon, 01 Jun 2015 16:50:49 GMT

check first if your search to produce all the results you want without the outputcsv command, then you can use the outputcsv command to extract the desired result in the file.

if it no ok show me your searh.
thank

Re: Are there limits for the outputcsv command?

francescafilini — Thu, 04 Jun 2015 08:18:29 GMT

That's a very good solution, but I can't undestrand if it works for saved search too...

Re: Are there limits for the outputcsv command?

francescafilini — Thu, 04 Jun 2015 08:22:08 GMT

Hi,

the outputcsv command seems to work, but when I investigate data, I notice that there are not all the events returned in Splunk from the search. The problem is that the search returns all my events, but they are not written in the csv,

My search is:

Re: Are there limits for the outputcsv command?

woodcock — Thu, 04 Jun 2015 12:56:21 GMT

I am not sure; I have never tried it.

Re: Are there limits for the outputcsv command?

chimell — Thu, 04 Jun 2015 12:57:39 GMT

hi francescafilini
Note that outputcsv command outputs search results to the specified csv file

Look at the following example .
It outputs search results to the CSV file 'mysearch.csv'

sourcetype=access_* |stats count by categoryId | outputcsv mysearch

for more information follow this link
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Outputcsv

In your search code ,
replace host=$host$ by host=*
and $host$.txt by hosttxt

then re-test it

Re: Are there limits for the outputcsv command?

fdi01 — Thu, 04 Jun 2015 14:27:07 GMT

your search is verry good.
i see thant you append ".txt" to filename you can change and appends ".csv" to filename ?
try like this to see:

index=wineventlog host=* |stats count by host| map maxsearches=100 search="search index=wineventlog sourcetype="WinEventLog:Security" host=$host$|sort - _time |table raw| fields - _time| outputcsv $host$.csv"