https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149175#M41703 <P>Hi Henry,</P> <P>try this,</P> <PRE><CODE>sourcetype=x,as_log ID | table _time ID mcn begin_action Desc _raw | outputcsv [ | stats count | eval filename=strftime(now(), "%Y%m") | return $filename] </CODE></PRE> <P>The above query will help you to get the today's date. your can change the sub search based on your requirement like instead of now() you can use any date param.</P> <P>Cheersss!</P> Thu, 11 Dec 2014 04:22:46 GMT vasanthmss 2014-12-11T04:22:46Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149173#M41701 <P>As stated in subject line, i would like to split a huge log with past 12 months' log records and dynamically without hardcoding the dates and export search results into YYYYMM.csv accordingly based on their log date, how could i do that ? </P> <P>E.g. From my search command<BR /> sourcetype=xmas_log ID begin.action date_month=January | table _time ID mcn begin_action Desc _raw |outputcsv 201401.csv</P> <P>can i do something like:<BR /> sourcetype=x,as_log ID begin.action date_month=$YYYYMM| table _time ID mcn begin_action Desc _raw |outputcsv $YYYYMM.csv</P> <P>Thank you very much!</P> Mon, 28 Sep 2020 18:21:25 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149173#M41701 henry_ty_leung 2020-09-28T18:21:25Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149174#M41702 <P>Have you tried using the Splunk CLI interface?</P> <P>Have a look at the CLI documentation: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CLIsearchsyntax">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CLIsearchsyntax</A> you might easily combine it with some scripting (PowerShell, Bash, etc) to produce what you need.</P> <P>Cheers,</P> Thu, 11 Dec 2014 04:17:06 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149174#M41702 musskopf 2014-12-11T04:17:06Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149175#M41703 <P>Hi Henry,</P> <P>try this,</P> <PRE><CODE>sourcetype=x,as_log ID | table _time ID mcn begin_action Desc _raw | outputcsv [ | stats count | eval filename=strftime(now(), "%Y%m") | return $filename] </CODE></PRE> <P>The above query will help you to get the today's date. your can change the sub search based on your requirement like instead of now() you can use any date param.</P> <P>Cheersss!</P> Thu, 11 Dec 2014 04:22:46 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149175#M41703 vasanthmss 2014-12-11T04:22:46Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149176#M41704 <P>Hi, </P> <P>Thanks for the prompted reply! Vasanthmss! </P> <P>SQL used.<BR /> sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn] | table _time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename]</P> <P>However, do you have any idea why the CSV generated via outputcsv is in a different format as <BR /> export to csv (via Web interface) :</P> <P>I found _time column display as as 1417622399.196 in above script<BR /> however, it display correctly if manual export to csv from the browser!</P> Mon, 28 Sep 2020 18:25:21 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149176#M41704 henry_ty_leung 2020-09-28T18:25:21Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149177#M41705 <P>Hi,</P> <P>if you are getting epoch time in your output csv you can convert the _time like this,</P> <PRE><CODE>| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") </CODE></PRE> <P>So your search would be like this,</P> <PRE><CODE>sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn] | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | table time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename] </CODE></PRE> <P>Accept this answer if its solves your query.</P> <P>Cheerrs!</P> Thu, 11 Dec 2014 21:14:35 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149177#M41705 vasanthmss 2014-12-11T21:14:35Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149178#M41706 <P>check the above answer</P> Thu, 11 Dec 2014 21:17:23 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149178#M41706 vasanthmss 2014-12-11T21:17:23Z https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149179#M41707 <P>Hi Vasanthmss</P> <P>I have tried the sql that you have provided, however it stilll not able to return the right filename...any ideas ? <BR /> do i need to get an earliest time as the filename from below ? </P> <P>Thanks</P> <P>sourcetype=csms_log date_month=December ID begin.action | join type=outer ID [ search sourcetype=tony ID detail.identity| stats values(detail_identity) as mcn by ID|fields ID mcn] | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | table time ID mcn begin_action _raw | outputcsv [ | stats count | eval filename=strftime(_time, "%Y%m") | return $filename]</P> <P>Henry</P> Mon, 28 Sep 2020 18:22:40 GMT https://community.splunk.com/t5/Splunk-Search/Export-search-results-into-YYYYMM-csv-dynamically-based-on-log/m-p/149179#M41707 henry_ty_leung 2020-09-28T18:22:40Z