topic Re: Is it possible to execute a different search query for exporting to CSV? in Dashboards & Visualizations

Is it possible to execute a different search query for exporting to CSV?

sabarinathankay — Tue, 29 Sep 2020 22:04:51 GMT

Hello Splunk Experts,

I have this Simple XML dashboard with a simple Query.

    <search>
      <query>
          index="__" 
          sourcetype="__" 
          source="___" 
          DOCUMENT_ID="'$documentId$'" 
          SERVICE_NAME="$serviceName$" 
          SUCCESS_STATE="$successState$"
          | eval SERVICE_INPUT = replace(SERVICE_INPUT,"{{","")  
          | eval SERVICE_INPUT = replace(SERVICE_INPUT,"}}","")
          | eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"{{","") 
          | eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"}}","")
          | eval SIP = SERVICE_INPUT
          | eval SOP = SERVICE_OUTPUT
          | eval SERVICE_INPUT = substr(SERVICE_INPUT,1,15) + toString("...")
          | eval SERVICE_OUTPUT = substr(SERVICE_OUTPUT,1,15) + toString("...")
          | table TIME_STAMP, TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME, SIP, SOP 

      </query>
      <earliest>$dateFrom.earliest$</earliest>
      <latest>$dateFrom.latest$</latest>
    </search>
    <option name="drilldown">cell</option>
    <option name="count">50</option>
    <option name="showPager">true</option>
    <drilldown>
      <set token="serviceInput">$row.SIP$</set>
      <set token="serviceOutput">$row.SOP$</set>
    </drilldown>
  </table>

The values for SERVICE_INPUT , SERVICE_OUTPUT will be quite huge and hence I am shortening the length of these values to be displayed on the results table. However, I have a drilldown beneath the main search results table, upon clicking a particular row, the complete XML message for SERVICE_INPUT and SERVICE_OUTPUT is being printed with the help of $row.SIP$ and $row.SOP$ values captured through the tokens.

Now, I want to export the search results into a CSV with the entire row ie Untrimmed SERVICE_INPUT and SERVICE_OUTPUT.

I want these columns to be exported to the CSV, "TIME_STAMP", TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME".

Also I want to omit SIP and SOP values as they will be redundant for each row. In short, I need the untrimmed SERVICE_INPUT and SERVICE_OUTPUT to be exported by leaving out SIP and SOP from the export.csv file.

How do I go about doing this? Any help will he highly appreciated.

Thanks and Regards,

Sabari Nathan Krishnan

Re: Is it possible to execute a different search query for exporting to CSV?

felipesewaybric — Tue, 29 Sep 2020 22:09:27 GMT

if you want to export the data, you will need to click on that export button, but if you want to save in a csv file inside splunk, you can aways use outputlookup or outputcsv.

Unfortunately, there is no Export with the post search drilldown, so you will need to change the table if you want to exporte those values only, like:

| table TIME_STAMP TIME_SPENT SERVICE_NAME SUCCESS_STATE DOCUMENT_ID SERVICE_INPUT SERVICE_OUTPUT TRANSACTION_TYPE MACHINE_NAME

Re: Is it possible to execute a different search query for exporting to CSV?

woodcock — Fri, 30 Nov 2018 06:19:37 GMT

Store $row.SIP$ and $row.SOP$ as tokens named $rowSIP$ and $rowSOP$ and then make a 2nd drilldown with this SPL:

index="__" 
sourcetype="__" 
source="___" earliest=$dateFrom.earliest$ latest=$dateFrom.latest$
DOCUMENT_ID="'$documentId$'" 
SERVICE_NAME="$serviceName$" 
SUCCESS_STATE="$successState$"
| eval SERVICE_INPUT = replace(SERVICE_INPUT,"{{","")  
| eval SERVICE_INPUT = replace(SERVICE_INPUT,"}}","")
| eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"{{","") 
| eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"}}","")
| search SERVICE_INPUT = $rowSIP$ AND SERVICE_OUTPUT = $rowSOP$
| table TIME_STAMP, TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME
| sendemail ......
| outputcsv ....