Archive

Splunk 4.3 -> Bug -> Actions: Export Results

Motivator

In Splunk once the search completed the user has the option to export the result set by selecting the following menu "Actions: Export Results".
In splunk version 4.3 seems to be broken. The user is able to export the result set in CVS format but the content of the csv file is not consistent.
It works without any problem in 4.2.1.

Is there any work around?
or
Is it a known bug?

Thanks

Tags (1)

Explorer

sendemail did not work for me for some reason and I'm using Splunk v4.3.3
What did work was adding the following to the end of the search string:

| outputcsv myfile.csv

The output file was routed by default to the $SPLUNK_HOME/var/run/splunk folder.

Thanks to @yannK for this answer to a different question: http://splunk-base.splunk.com/answers/42067/can-search-results-be-exported-using-a-command-in-the-se...

0 Karma

Explorer

@lpolo, I have the same issue with Chrome (v.28) as I do with Firefox... I'm guessing the browser used is not the issue.

0 Karma

Path Finder

After months of frustration, I've found the following workaround to be reliable. After doing the search and confirming that you got what you want, add the following to the end of the search string:

| sendemail to=your@email.com sendresults=true inline=false format=csv

This will make splunk email a copy of the report to your email address, attached as a csv, with all your columns! This is assuming that your mail server is working (I also tried on our free instance and it worked). Just be careful about sending too many emails to yourself (or others). Cheers!

Explorer

Just tried adding that to my search, but no email was sent. Not sure why, as I do have email alerts set up and splunk does send emails to my inbox.

0 Karma

Splunk Employee
Splunk Employee

I am unable to repro this on the flashtimeline view.

There are 2 type of searches in splunk: Raw event generating searches and Report generating searches. (learn more at Types of Searches in Splunk). In your case, the search is a Report generating search. Depending upon the type of search you should set the right export parameter for the export module.

For raw event generating searches, the export module should be configured as :



event


For report generating searches, the export module should be configured as:


result

0 Karma

SplunkTrust
SplunkTrust

I filed the problem a few weeks ago. The fundamental problem is that the current 'export' feature hits the 'events' endpoint, not the results endpoint. And it passes the field list of the 'results'.

long story short -- export works great when you're exporting simple events searches. Export doesn't work at all (generates empty csv files, or csv files with only some columns, and with lots of repeated values), if you're exporting a report (ie a search with stats/chart/timechart/top... in it)

Explorer

this one does not work as well:

| eval count=replace(count, ".*", "test")
0 Karma

Explorer

for example, something what is easy to reproduce everywhere:

index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | stats sum(kb) AS KB_per_hour by source

the result is something like this:

1 /opt/splunk/var/log/splunk/metrics.log 124329.388671
2 /opt/splunkforwarder/var/log/splunk/metrics.log 146905.555654

but the CSV file contains:

source
"/opt/splunkforwarder/var/log/splunk/metrics.log"
"/opt/splunkforwarder/var/log/splunk/metrics.log"

The main problem is, IMO, the relation to stats command because Splunk can export plain numeric fields in the correct way.

index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | head 3 | table series, kbps.:

CSV file:

series,kbps
ps,"0.519392"
mysqlproc,"0.036884"
cpu,"0.007427"

looks OK.

SplunkTrust
SplunkTrust

It's because the export feature is hardwired to hit the 'events' endpoint, which means when you try and export the transformed results, you'll get the untransformed 'events'. In your case you get some data in the csv, because some of the columns in your transformed data happen to have the same name in the untransformed events. very broken.

0 Karma

Explorer

Exacly like Ipolo mentioned. If you have count column and export the results to CSV, the count column missing. It`s easy to reproduce.

0 Karma

Motivator

I noticed that this problem occurs with Chrome version: 17.0.963.78 m in windows Platform. We tried the beta version of Chrome under MAC OSX and it works as it should be.

0 Karma

Splunk Employee
Splunk Employee

I'm not quite sure what you mean by "the content of the CSV file is not consistent...." There is a defect in 4.3 where search results using the _time format are not human-readable when you export events using the Export button. This is mentioned in the known issues. The workaround is to use the convert...ctime() function (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert ).

0 Karma

Communicator

I'm sorry to say that I'm running 4.3.3 and I'm still seeing this bug.
This is when using Actions>Export Results in a standard search (which uses 'top')
The workaround of using sendemail is good enough for now.

0 Karma

Splunk Employee
Splunk Employee

There were three related defects behind this behavior. The problem is fixed in the forthcoming 4.3.3 maintenance release.

0 Karma

SplunkTrust
SplunkTrust

I think what's adding to the confusion is that there are several places that have export functionality. There's the TitleBar module (which seems to have this bug), the advanced charting view has a little 'export' link (which seems to have this bug), and the flashtimeline view has a little 'export' link, well actually three separate export links, and they appear to work. However I think many if not most people running complex reports are doing so in the charting view. TitleBar isn't used much in core search UI, but is still widely used in apps.

0 Karma

Splunk Employee
Splunk Employee

I can't reproduce this. I'm on 4.3.2 and can successfully export results from queries using count and sum.

0 Karma

Explorer

I am having the exactly same bug. Is there any fix?

0 Karma

Motivator

It is not the case. You can test it by running any query that aggregates any data set. Example:

|stats count by house.

your result set is:

house count
house_1 10
house_2 7
.......

If you export this result set in csv, the content of the csv file does not show the count column.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!