Getting Data In

Are there limits for the outputcsv command?

francescafilini
New Member

Hi,

i'm extracting data with the outputcsv command, but in the file there are not all the events returned by the search. I've already modified the value of maxresultrows in [restapi] stanza, are there any other limits to change?

Thank you

Tags (3)
0 Karma

chimell
Motivator

hi francescafilini
Note that outputcsv command outputs search results to the specified csv file

Look at the following example .
It outputs search results to the CSV file 'mysearch.csv'

sourcetype=access_* |stats count by categoryId | outputcsv mysearch

for more information follow this link
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Outputcsv

In your search code ,
replace host=$host$ by host=*
and $host$.txt by hosttxt

then re-test it

0 Karma

fdi01
Motivator

check first if your search to produce all the results you want without the outputcsv command, then you can use the outputcsv command to extract the desired result in the file.

if it no ok show me your searh.
thank

0 Karma

francescafilini
New Member

Hi,

the outputcsv command seems to work, but when I investigate data, I notice that there are not all the events returned in Splunk from the search. The problem is that the search returns all my events, but they are not written in the csv,

My search is:

index=wineventlog host=host1 OR host=host2 OR host=host3 OR host=host4 |stats count by host| map maxsearches=100 search="search index=wineventlog sourcetype="WinEventLog:Security" host=$host$|sort - _time| outputtext usexml=false |fields raw| fields - _time, xml| outputcsv $host$.txt"

0 Karma

fdi01
Motivator

your search is verry good.
i see thant you append ".txt" to filename you can change and appends ".csv" to filename ?
try like this to see:

index=wineventlog host=* |stats count by host| map maxsearches=100 search="search index=wineventlog sourcetype="WinEventLog:Security" host=$host$|sort - _time |table raw| fields - _time| outputcsv $host$.csv"
0 Karma

woodcock
Esteemed Legend

In Splunk v5 the row/event limit on export directly from search results in flashtimeline was removed so you probably do not need to use outputcsv any more (unless you like it better). If you cannot get that to work, this blog describes another method (that I have not tried):

http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/

0 Karma

francescafilini
New Member

That's a very good solution, but I can't undestrand if it works for saved search too...

0 Karma

woodcock
Esteemed Legend

I am not sure; I have never tried it.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!