topic Re: OutputCSV result is different than Splunk display in Reporting

OutputCSV result is different than Splunk display

mhng — Wed, 24 Dec 2014 04:51:35 GMT

Hi,

I've tried to query search command on Splunk which is (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"The result display in Splunk will be two columns ( _time, Calls).

Eg. _time Calls
2014-11-11 30

But when I tried to export to CSV via this command (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"| outputcsv result.csv, the CSV will display another format.

Eg. _time Calls _span _spandays
1415635200 0 86400 1

Can I know why this happening?

Re: OutputCSV result is different than Splunk display

esix_splunk — Wed, 24 Dec 2014 05:20:21 GMT

Field names with "_"'s in them are internal fields in Splunk. Outcsv is ouputing those as you have not formatted the search to only use those fields. So your search should be:

(CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"| table _time Calls | outputcsv result.csv

That will output to csv the proper fields you want to see.

Re: OutputCSV result is different than Splunk display

mhng — Thu, 25 Dec 2014 04:17:53 GMT

Thanks esix_splunk,

One more question, the CSV file has output column I needed. However, on the _time column is still show 1415635200 value, instead of the date(e.g. 2014-11-11). Any comments for this issue?

Re: OutputCSV result is different than Splunk display

martin_mueller — Thu, 25 Dec 2014 04:33:23 GMT

That's the underlying timestamp representation as unix timestamps. You can format that manually if needed, for example ... |fieldformat field = strftime(field, "%F %T.%3N") will give you a date and time in human-readable format. All Splunk commands such as timechart work off the unix timestamp though, so format at the very end if needed. Additionally, the _time field should usually be formatted according to your browser's locale automatically.

Re: OutputCSV result is different than Splunk display

esix_splunk — Thu, 25 Dec 2014 05:10:03 GMT

As Martin points out, you want to change the epoch(unix) time format to human readable. Your search should become something like this:

 (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls" | eval _time=humanreadabletime  | fieldformat humanreadabletime = strftime(humanreadabletime, "%F %T.%3N") | table humanreadabletime Calls |  outputcsv result.csv