Note that outputcsv command outputs search results to the specified csv file
Look at the following example .
It outputs search results to the CSV file 'mysearch.csv'
sourcetype=access_* |stats count by categoryId | outputcsv mysearch
for more information follow this link
In your search code ,
replace host=$host$ by host=*
and $host$.txt by hosttxt
then re-test it
check first if your search to produce all the results you want without the outputcsv command, then you can use the outputcsv command to extract the desired result in the file.
if it no ok show me your searh.
the outputcsv command seems to work, but when I investigate data, I notice that there are not all the events returned in Splunk from the search. The problem is that the search returns all my events, but they are not written in the csv,
My search is:
index=wineventlog host=host1 OR host=host2 OR host=host3 OR host=host4 |stats count by host| map maxsearches=100 search="search index=wineventlog sourcetype="WinEventLog:Security" host=$host$|sort - _time| outputtext usexml=false |fields raw| fields - _time, xml| outputcsv $host$.txt"
your search is verry good.
i see thant you append ".txt" to filename you can change and appends ".csv" to filename ?
try like this to see:
index=wineventlog host=* |stats count by host| map maxsearches=100 search="search index=wineventlog sourcetype="WinEventLog:Security" host=$host$|sort - _time |table raw| fields - _time| outputcsv $host$.csv"
In Splunk v5 the row/event limit on export directly from search results in flashtimeline was removed so you probably do not need to use outputcsv any more (unless you like it better). If you cannot get that to work, this blog describes another method (that I have not tried):