topic Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV? in Splunk Search

Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

jaalex101 — Tue, 21 Apr 2015 05:44:12 GMT

Hi,

Is there a way to save the Splunk search along with the time frame of the search when exporting the results to CSV? Currently, I manually add these details to the downloaded CSV file, but there are times when I miss this and wonder what the exact search was.

Thanks,
Joseph

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

rsennett_splunk — Tue, 21 Apr 2015 05:55:01 GMT

After you export to csv, click the print button and save to PDF. The output of the "print" includes the query and the output (as much as fits on the page, so you can remember the context.Looks like this:

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

jaalex101 — Tue, 21 Apr 2015 06:27:23 GMT

Thanks, but then i have to maintain two documents. Would it be an useful feature to add this in the CSV export itself ? . The slight downside would be it would have some extra text apart from the raw data itself.

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

jeffland — Tue, 21 Apr 2015 06:34:18 GMT

I don't see how you could put something inside a .csv file that is not recognized as content, and it seems that that's the way it is.

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

rsennett_splunk — Tue, 21 Apr 2015 07:05:23 GMT

To do this, it must be a saved search... otherwise, you really have no way to attach the query at all if it's adhoc and you are back to cutting and pasting... And anything else would have to be done programatically... if you're game... basically you must save the search so that the info and entry is saved in savedsearches.conf then you have two options... neither is a click away:

the PYTHON SDK
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#viewpropssaved
Grab the value of the search= key word for the stanza matching the saved search and any other key words you want (dispatch.earliest_time etc) Then open the cvs file you just wrote (or have your script find it as the latest one... etc) and add a "header" prefixed by a marker, say ## and then compose your header
write the value of search= and the others in the saved search stanza you are looking for and there you have it.

You can also retrieve the search query info using the REST API and use the Configuration Endpoints... but you would then still have to mechanize the editing of your csv file so I'd go for python. it wouldn't be super complex.

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

jaalex101 — Tue, 21 Apr 2015 07:56:36 GMT

Thanks. My original question was for an adhoc query with a 1-click solution , but these pointers towards a programmatic approach for a saved search is good too. Marking as accepted.

Re: Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

rsennett_splunk — Tue, 21 Apr 2015 23:34:41 GMT

open another question and explain that you'd like a way to export the "metadata" for a search with a click. Mark it as a feature request. 🙂

Glad this helped... thank you for accepting.