In Splunk once the search completed the user has the option to export the result set by selecting the following menu "Actions: Export Results".
In splunk version 4.3 seems to be broken. The user is able to export the result set in CVS format but the content of the csv file is not consistent.
It works without any problem in 4.2.1.
Is there any work around?
Is it a known bug?
sendemail did not work for me for some reason and I'm using Splunk v4.3.3
What did work was adding the following to the end of the search string:
| outputcsv myfile.csv
The output file was routed by default to the $SPLUNK_HOME/var/run/splunk folder.
Thanks to @yannK for this answer to a different question: http://splunk-base.splunk.com/answers/42067/can-search-results-be-exported-using-a-command-in-the-se...
After months of frustration, I've found the following workaround to be reliable. After doing the search and confirming that you got what you want, add the following to the end of the search string:
| sendemail firstname.lastname@example.org sendresults=true inline=false format=csv
This will make splunk email a copy of the report to your email address, attached as a csv, with all your columns! This is assuming that your mail server is working (I also tried on our free instance and it worked). Just be careful about sending too many emails to yourself (or others). Cheers!
I am unable to repro this on the flashtimeline view.
There are 2 type of searches in splunk: Raw event generating searches and Report generating searches. (learn more at Types of Searches in Splunk). In your case, the search is a Report generating search. Depending upon the type of search you should set the right export parameter for the export module.
For raw event generating searches, the export module should be configured as :
I filed the problem a few weeks ago. The fundamental problem is that the current 'export' feature hits the 'events' endpoint, not the results endpoint. And it passes the field list of the 'results'.
long story short -- export works great when you're exporting simple events searches. Export doesn't work at all (generates empty csv files, or csv files with only some columns, and with lots of repeated values), if you're exporting a report (ie a search with stats/chart/timechart/top... in it)
for example, something what is easy to reproduce everywhere:
index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | stats sum(kb) AS KB_per_hour by source
the result is something like this:
1 /opt/splunk/var/log/splunk/metrics.log 124329.388671 2 /opt/splunkforwarder/var/log/splunk/metrics.log 146905.555654
but the CSV file contains:
source "/opt/splunkforwarder/var/log/splunk/metrics.log" "/opt/splunkforwarder/var/log/splunk/metrics.log"
The main problem is, IMO, the relation to
stats command because Splunk can export plain numeric fields in the correct way.
index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | head 3 | table series, kbps.:
series,kbps ps,"0.519392" mysqlproc,"0.036884" cpu,"0.007427"
It's because the export feature is hardwired to hit the 'events' endpoint, which means when you try and export the transformed results, you'll get the untransformed 'events'. In your case you get some data in the csv, because some of the columns in your transformed data happen to have the same name in the untransformed events. very broken.
I'm not quite sure what you mean by "the content of the CSV file is not consistent...." There is a defect in 4.3 where search results using the
_time format are not human-readable when you export events using the Export button. This is mentioned in the known issues. The workaround is to use the
convert...ctime() function (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert ).
I'm sorry to say that I'm running 4.3.3 and I'm still seeing this bug.
This is when using Actions>Export Results in a standard search (which uses 'top')
The workaround of using sendemail is good enough for now.
I think what's adding to the confusion is that there are several places that have export functionality. There's the TitleBar module (which seems to have this bug), the advanced charting view has a little 'export' link (which seems to have this bug), and the flashtimeline view has a little 'export' link, well actually three separate export links, and they appear to work. However I think many if not most people running complex reports are doing so in the charting view. TitleBar isn't used much in core search UI, but is still widely used in apps.
It is not the case. You can test it by running any query that aggregates any data set. Example:
|stats count by house.
your result set is:
If you export this result set in csv, the content of the csv file does not show the count column.