Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to execute a different search query for exporting to CSV?

sabarinathankay
New Member
‎11-19-2018 04:35 PM

Hello Splunk Experts,

I have this Simple XML dashboard with a simple Query.

    <search>
      <query>
          index="__" 
          sourcetype="__" 
          source="___" 
          DOCUMENT_ID="'$documentId$'" 
          SERVICE_NAME="$serviceName$" 
          SUCCESS_STATE="$successState$"
          | eval SERVICE_INPUT = replace(SERVICE_INPUT,"{{","")  
          | eval SERVICE_INPUT = replace(SERVICE_INPUT,"}}","")
          | eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"{{","") 
          | eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"}}","")
          | eval SIP = SERVICE_INPUT
          | eval SOP = SERVICE_OUTPUT
          | eval SERVICE_INPUT = substr(SERVICE_INPUT,1,15) + toString("...")
          | eval SERVICE_OUTPUT = substr(SERVICE_OUTPUT,1,15) + toString("...")
          | table TIME_STAMP, TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME, SIP, SOP 

      </query>
      <earliest>$dateFrom.earliest$</earliest>
      <latest>$dateFrom.latest$</latest>
    </search>
    <option name="drilldown">cell</option>
    <option name="count">50</option>
    <option name="showPager">true</option>
    <drilldown>
      <set token="serviceInput">$row.SIP$</set>
      <set token="serviceOutput">$row.SOP$</set>
    </drilldown>
  </table>

The values for SERVICE_INPUT , SERVICE_OUTPUT will be quite huge and hence I am shortening the length of these values to be displayed on the results table. However, I have a drilldown beneath the main search results table, upon clicking a particular row, the complete XML message for SERVICE_INPUT and SERVICE_OUTPUT is being printed with the help of $row.SIP$ and $row.SOP$ values captured through the tokens.

Now, I want to export the search results into a CSV with the entire row ie Untrimmed SERVICE_INPUT and SERVICE_OUTPUT.

I want these columns to be exported to the CSV, "TIME_STAMP", TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME".

Also I want to omit SIP and SOP values as they will be redundant for each row. In short, I need the untrimmed SERVICE_INPUT and SERVICE_OUTPUT to be exported by leaving out SIP and SOP from the export.csv file.

How do I go about doing this? Any help will he highly appreciated.

Thanks and Regards,

Sabari Nathan Krishnan

0 Karma
Reply

woodcock
Esteemed Legend
‎11-29-2018 10:19 PM

Store $row.SIP$ and $row.SOP$ as tokens named $rowSIP$ and $rowSOP$ and then make a 2nd drilldown with this SPL:

index="__" 
sourcetype="__" 
source="___" earliest=$dateFrom.earliest$ latest=$dateFrom.latest$
DOCUMENT_ID="'$documentId$'" 
SERVICE_NAME="$serviceName$" 
SUCCESS_STATE="$successState$"
| eval SERVICE_INPUT = replace(SERVICE_INPUT,"{{","")  
| eval SERVICE_INPUT = replace(SERVICE_INPUT,"}}","")
| eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"{{","") 
| eval SERVICE_OUTPUT = replace(SERVICE_OUTPUT,"}}","")
| search SERVICE_INPUT = $rowSIP$ AND SERVICE_OUTPUT = $rowSOP$
| table TIME_STAMP, TIME_SPENT, SERVICE_NAME, SUCCESS_STATE, DOCUMENT_ID, SERVICE_INPUT , SERVICE_OUTPUT , TRANSACTION_TYPE, MACHINE_NAME
| sendemail ......
| outputcsv ....
0 Karma
Reply

felipesewaybric
Contributor
‎11-29-2018 03:23 PM

if you want to export the data, you will need to click on that export button, but if you want to save in a csv file inside splunk, you can aways use outputlookup or outputcsv.

Unfortunately, there is no Export with the post search drilldown, so you will need to change the table if you want to exporte those values only, like:

| table TIME_STAMP TIME_SPENT SERVICE_NAME SUCCESS_STATE DOCUMENT_ID SERVICE_INPUT SERVICE_OUTPUT TRANSACTION_TYPE MACHINE_NAME

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...