Solved: Re: Alert when triggered - Output results to looku...

przemysaw · ‎08-03-2020

hi!

I have an alert, which when triggered it saves "Output results to lookup" csv file. Is there a way to have a dynamic filename where the data is saved? I.e. instead of one name results.csv I would like to add date in the end: results_2020_08_03.csv or something like this.

Haven't found anything in the documentation about it.

thanks in advance,

przemek

isoutamo · ‎08-04-2020

Hi

at least this works with 8.0.5.

index=_internal 
| head 1 
| outputlookup
    [| makeresults 
    | eval query="results_".strftime(now(),"%d_%m_%y_%H_%M_%S").".csv" 
    | fields query 
    | format "" "" "" "" "" ""]

You cannot use outputcsv e.g. in SHC as it don't replicate that lookuptable as outputlookup will do.

r. Ismo

View solution in original post

isoutamo · ‎08-03-2020

Hi

can you use this https://community.splunk.com/t5/Getting-Data-In/Dynamic-naming-of-files-with-outputcsv/td-p/24829 ?

r. Ismo

przemysaw · ‎08-03-2020

Hi,

Thanks for the fast reply, but this solution is not gonna work for me. It places csv file to $SPLUNK_HOME/var/run/splunk/csv on a local searchhead. This is an alert and a file for customer who does not have access to Splunk infrastructure.

Any other ideas?

BR,

Przemek

isoutamo · ‎08-04-2020

Hi

at least this works with 8.0.5.

index=_internal 
| head 1 
| outputlookup
    [| makeresults 
    | eval query="results_".strftime(now(),"%d_%m_%y_%H_%M_%S").".csv" 
    | fields query 
    | format "" "" "" "" "" ""]

You cannot use outputcsv e.g. in SHC as it don't replicate that lookuptable as outputlookup will do.

r. Ismo

przemysaw · ‎08-12-2020

This is basically what I needed - thank you

Alert when triggered - Output results to lookup with dynamic filename

alert action

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting