Alerting

Alert when triggered - Output results to lookup with dynamic filename

przemysaw
Explorer

hi!

I have an alert, which when triggered it saves "Output results to lookup" csv file. Is there a way to have a dynamic filename where the data is saved? I.e. instead of one name results.csv I would like to add date in the end: results_2020_08_03.csv or something like this. 

Haven't found anything in the documentation about it.

thanks in advance,

przemek

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

at least this works with 8.0.5.

 

index=_internal 
| head 1 
| outputlookup
    [| makeresults 
    | eval query="results_".strftime(now(),"%d_%m_%y_%H_%M_%S").".csv" 
    | fields query 
    | format "" "" "" "" "" ""]

 

You cannot use outputcsv e.g. in SHC as it don't replicate that lookuptable as outputlookup will do.

r. Ismo 

View solution in original post

isoutamo
SplunkTrust
SplunkTrust
0 Karma

przemysaw
Explorer

Hi,

Thanks for the fast reply, but this solution is not gonna work for me. It places csv file to $SPLUNK_HOME/var/run/splunk/csv on a local searchhead. This is an alert and a file for customer who does not have access to Splunk infrastructure. 

Any other ideas?

BR,

Przemek

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

at least this works with 8.0.5.

 

index=_internal 
| head 1 
| outputlookup
    [| makeresults 
    | eval query="results_".strftime(now(),"%d_%m_%y_%H_%M_%S").".csv" 
    | fields query 
    | format "" "" "" "" "" ""]

 

You cannot use outputcsv e.g. in SHC as it don't replicate that lookuptable as outputlookup will do.

r. Ismo 

przemysaw
Explorer

This is basically what I needed - thank you

0 Karma
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...