All Apps and Add-ons

Export Results from a postProcess

sbsbb
Builder

I wonder if it is possible to export results from a PostProcess.
If I use a "SearchControls" object, it can export results, but only from the upstream search, not from the postProcess.

Is there a way to export Data from a Postprocess, or even a Table, in csv and raw format ?

1 Solution

sideview
SplunkTrust
SplunkTrust

It's possible for this to be implemented in the future but it's not possible right now.

Good News: in the splunkd rest API, the export endpoint now does actually support passing a postprocess search as an argument called "search". You can test this out for yourself.

I ran a search of index=_internal source=*metrics.log | stats count by group series, clicked the export icon in the SearchControls module, tracked that to this in splunkd_access.log:

/servicesNS/admin/sideview_utils/search/jobs/1372868585.20/results/export?output_mode=csv&f=group&f=series&f=count&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z

and then adding a 'search' argument, and hitting the resulting URL manually on the management port:

https://localhost:8089/servicesNS/admin/sideview_utils/search/jobs/1372868585.20/results/export?outp...

and indeed the postprocess search does take effect.

The Bad News: The underlying support for postProcess doesn't go any higher in the code stack than that. When you click the export icon, the Sideview code doesn't talk to splunkd's REST api directly. Instead it talks to a controller in SplunkWeb and it looks like all of that SplunkWeb code fails to pass on the postProcess argument during export (in site-packages/splunk/appserver/mrsparkle/controllers/search.py getJobAsset neglects to pass on all the kwargs if the 'isDownload' flag is set) .

So in short, SearchControls could be modified to support postProcess on export, but I'd have to package a new export controller in Sideview. It can happen and I'll probably do it eventually but it's not a quick fix I'm afraid.

UPDATE:
In Sideview Utils 3.0 the SearchControls module was integrated against a custom controller also contained in Sideview Utils, such that exports from that module do now correctly account for postprocess searches in the view. http://sideviewapps.com/apps/sideview-utils/

View solution in original post

sbsbb
Builder

Many Thanks for your feedback

0 Karma

sideview
SplunkTrust
SplunkTrust

It's possible for this to be implemented in the future but it's not possible right now.

Good News: in the splunkd rest API, the export endpoint now does actually support passing a postprocess search as an argument called "search". You can test this out for yourself.

I ran a search of index=_internal source=*metrics.log | stats count by group series, clicked the export icon in the SearchControls module, tracked that to this in splunkd_access.log:

/servicesNS/admin/sideview_utils/search/jobs/1372868585.20/results/export?output_mode=csv&f=group&f=series&f=count&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z

and then adding a 'search' argument, and hitting the resulting URL manually on the management port:

https://localhost:8089/servicesNS/admin/sideview_utils/search/jobs/1372868585.20/results/export?outp...

and indeed the postprocess search does take effect.

The Bad News: The underlying support for postProcess doesn't go any higher in the code stack than that. When you click the export icon, the Sideview code doesn't talk to splunkd's REST api directly. Instead it talks to a controller in SplunkWeb and it looks like all of that SplunkWeb code fails to pass on the postProcess argument during export (in site-packages/splunk/appserver/mrsparkle/controllers/search.py getJobAsset neglects to pass on all the kwargs if the 'isDownload' flag is set) .

So in short, SearchControls could be modified to support postProcess on export, but I'd have to package a new export controller in Sideview. It can happen and I'll probably do it eventually but it's not a quick fix I'm afraid.

UPDATE:
In Sideview Utils 3.0 the SearchControls module was integrated against a custom controller also contained in Sideview Utils, such that exports from that module do now correctly account for postprocess searches in the view. http://sideviewapps.com/apps/sideview-utils/

sideview
SplunkTrust
SplunkTrust

Sideview Utils 3.0 released today and the SearchControls module now takes postProcess searches into account when the user exports.

http://sideviewapps.com/apps/sideview-utils/

0 Karma

ma_anand1984
Contributor

@sideview

Let us know if you have a fix in place

0 Karma

sbsbb
Builder

Many Thanks for your feedback

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...