Dynamic naming of files with outputcsv

gpburgett — Wed, 12 Jan 2011 08:48:00 GMT

We've got Splunk running at a customer site and one of the things that they want is to be able to get regular statistics on their incoming events and then output the stats into a format they can use with their general reporting tools. (We told them they can do it all in Splunk, but I guess they like the graphical tools they've got. Whatever. Customer is king, right?) We've got a scheduled search running that gets the stats that they want and outputs it to a csv file and it is working fine.

However the name of the output file is always the same, the one that we specified in our search string. So, I was wondering if it is possible to dynamically name the output file using basic data from the search, like maybe "sourcetype_date_hour.csv" or something like that. Can this be done?

Re: Dynamic naming of files with outputcsv

sideview — Wed, 12 Jan 2011 12:41:12 GMT

Sure can. A subsearch can do it for you.

<your search> | outputcsv [ | stats count | eval search=strftime(now(), "filename_%Y_%m_%d_%H"") | fields search]

The | stats count is just a cheap trick to create a single row. That row will have a 'count' field whose value is zero. I eval another field called 'search' and then use the fields clause to restrict to just that one field. And then subsearches are special-cased when they're given only a single field called 'search' (or 'query'). If they see that then they will return just the value of the field out into the outer search, not a whole fieldName=value term.

topic Dynamic naming of files with outputcsv in Getting Data In

Dynamic naming of files with outputcsv

Re: Dynamic naming of files with outputcsv