Getting Data In

Excel CSV/TSV Export

JensT
Communicator

Hi,

we have records with multiline fields.
If you do an CSV-export, MS Excel struggles as the export is really comma-separated.
Excel can only handle semicolon- or tab-separated values.

The Splunk Python Modules are already capable to do "Excel-CSV".

How and where can we tell Splunk to export "Excel-CSV"?

Regards,

Jens

Tags (3)
0 Karma
1 Solution

araitz
Splunk Employee
Splunk Employee
0 Karma

dominiquevocat
Motivator
0 Karma

araitz
Splunk Employee
Splunk Employee
0 Karma

iamarkaprabha
Contributor

Hi Araitz,

I have installed the addon i version 6.6.6 but the addon is not working as per the functionality

0 Karma

dominiquevocat
Motivator

i can not say much as per araitz' work but maybe https://splunkbase.splunk.com/app/1832/ is of some use to you?

0 Karma

frink
Explorer

I may not be taking the same path you are, but when I "Export results" from search in the UI and save it as CSV, Excel 2007 doesn't have any problem opening the file even though the _raw data I have is multiline.

When I try to run the CSV file through the text import wizard, it doesn't handle the multiline fields well. It treats every newline in the file as a new row in the Excel file. What I found was the only way to get multiline CSV values into Excel was to open the file directly into Excel. Text import didn't handle the multiline fields for me.

JensT
Communicator

Hi,

we're using Office 2003 and Splunk 4.1.7

The search is like:

  • | table a, b ,c

a and b are multiline.

When opening it directly in excel, for each newline in the field a new row is created in excel.

Regards,

HJens

0 Karma

JSapienza
Contributor

Actually Excel can handle just about any delimiter if you use the "Text import Wizard". I use this feature quite often. This link might help :
http://office.microsoft.com/en-us/excel-help/text-import-wizard-HP010102244.aspx

0 Karma

JensT
Communicator

Hi,

The _raw event is fine.
We're using Splunk 4.1.7.
Thanks for the hint, i will keep it in mind when we upgrade to 4.2

  • Jens
0 Karma

JSapienza
Contributor

Then you might need to look at how the events are being indexed. It's possible the event boundaries are not correct. Just a guess, without seeing your data, you might have to edit the props.conf for this sourcetype to correct line breaking on multi-line events. http://www.splunk.com/base/Documentation/4.2.1/Data/Indexmulti-lineevents

0 Karma

JensT
Communicator

Hi,

thanks for the quick answer.
This would work, if the fields were not multiline.

The main reason is the inconvenience for the user.

Goal is that the export can directly opened in MS Excel.

  • Jens
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!