Splunk Search

Splunk 4.3 -> Bug -> Actions: Export Results

lpolo
Motivator

In Splunk once the search completed the user has the option to export the result set by selecting the following menu "Actions: Export Results".
In splunk version 4.3 seems to be broken. The user is able to export the result set in CVS format but the content of the csv file is not consistent.
It works without any problem in 4.2.1.

Is there any work around?
or
Is it a known bug?

Thanks

Tags (1)

drapkin11
Explorer

sendemail did not work for me for some reason and I'm using Splunk v4.3.3
What did work was adding the following to the end of the search string:

| outputcsv myfile.csv

The output file was routed by default to the $SPLUNK_HOME/var/run/splunk folder.

Thanks to @yannK for this answer to a different question: http://splunk-base.splunk.com/answers/42067/can-search-results-be-exported-using-a-command-in-the-se...

0 Karma

drapkin11
Explorer

@lpolo, I have the same issue with Chrome (v.28) as I do with Firefox... I'm guessing the browser used is not the issue.

0 Karma

ytamura
Path Finder

After months of frustration, I've found the following workaround to be reliable. After doing the search and confirming that you got what you want, add the following to the end of the search string:

| sendemail to=your@email.com sendresults=true inline=false format=csv

This will make splunk email a copy of the report to your email address, attached as a csv, with all your columns! This is assuming that your mail server is working (I also tried on our free instance and it worked). Just be careful about sending too many emails to yourself (or others). Cheers!

drapkin11
Explorer

Just tried adding that to my search, but no email was sent. Not sure why, as I do have email alerts set up and splunk does send emails to my inbox.

0 Karma

nmistry_splunk
Splunk Employee
Splunk Employee

I am unable to repro this on the flashtimeline view.

There are 2 type of searches in splunk: Raw event generating searches and Report generating searches. (learn more at Types of Searches in Splunk). In your case, the search is a Report generating search. Depending upon the type of search you should set the right export parameter for the export module.

For raw event generating searches, the export module should be configured as :



event


For report generating searches, the export module should be configured as:


result

0 Karma

sideview
SplunkTrust
SplunkTrust

I filed the problem a few weeks ago. The fundamental problem is that the current 'export' feature hits the 'events' endpoint, not the results endpoint. And it passes the field list of the 'results'.

long story short -- export works great when you're exporting simple events searches. Export doesn't work at all (generates empty csv files, or csv files with only some columns, and with lots of repeated values), if you're exporting a report (ie a search with stats/chart/timechart/top... in it)

jankucera
Explorer

this one does not work as well:

| eval count=replace(count, ".*", "test")
0 Karma

jankucera
Explorer

for example, something what is easy to reproduce everywhere:

index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | stats sum(kb) AS KB_per_hour by source

the result is something like this:

1 /opt/splunk/var/log/splunk/metrics.log 124329.388671
2 /opt/splunkforwarder/var/log/splunk/metrics.log 146905.555654

but the CSV file contains:

source
"/opt/splunkforwarder/var/log/splunk/metrics.log"
"/opt/splunkforwarder/var/log/splunk/metrics.log"

The main problem is, IMO, the relation to stats command because Splunk can export plain numeric fields in the correct way.

index="_internal" source="*/metrics.log" group="per_source_thruput" earliest=-1m | head 3 | table series, kbps.:

CSV file:

series,kbps
ps,"0.519392"
mysqlproc,"0.036884"
cpu,"0.007427"

looks OK.

sideview
SplunkTrust
SplunkTrust

It's because the export feature is hardwired to hit the 'events' endpoint, which means when you try and export the transformed results, you'll get the untransformed 'events'. In your case you get some data in the csv, because some of the columns in your transformed data happen to have the same name in the untransformed events. very broken.

0 Karma

jankucera
Explorer

Exacly like Ipolo mentioned. If you have count column and export the results to CSV, the count column missing. It`s easy to reproduce.

0 Karma

lpolo
Motivator

I noticed that this problem occurs with Chrome version: 17.0.963.78 m in windows Platform. We tried the beta version of Chrome under MAC OSX and it works as it should be.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

I'm not quite sure what you mean by "the content of the CSV file is not consistent...." There is a defect in 4.3 where search results using the _time format are not human-readable when you export events using the Export button. This is mentioned in the known issues. The workaround is to use the convert...ctime() function (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert ).

0 Karma

mslvrstn
Communicator

I'm sorry to say that I'm running 4.3.3 and I'm still seeing this bug.
This is when using Actions>Export Results in a standard search (which uses 'top')
The workaround of using sendemail is good enough for now.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

There were three related defects behind this behavior. The problem is fixed in the forthcoming 4.3.3 maintenance release.

0 Karma

sideview
SplunkTrust
SplunkTrust

I think what's adding to the confusion is that there are several places that have export functionality. There's the TitleBar module (which seems to have this bug), the advanced charting view has a little 'export' link (which seems to have this bug), and the flashtimeline view has a little 'export' link, well actually three separate export links, and they appear to work. However I think many if not most people running complex reports are doing so in the charting view. TitleBar isn't used much in core search UI, but is still widely used in apps.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

I can't reproduce this. I'm on 4.3.2 and can successfully export results from queries using count and sum.

0 Karma

topdeck
Explorer

I am having the exactly same bug. Is there any fix?

0 Karma

lpolo
Motivator

It is not the case. You can test it by running any query that aggregates any data set. Example:

|stats count by house.

your result set is:

house count
house_1 10
house_2 7
.......

If you export this result set in csv, the content of the csv file does not show the count column.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...