Getting Data In

Help with merging CSV files needed

damucka
Builder

Hello,

I have the situation, where I evaluate the "All Time" logs initially and save the results to the csv file:

...
| outputtext usexml=false | fields - _raw  
| outputcsv StartupMinMaxAvg.txt
...

The base search takes quite a while, so I would like to do it only once and do not mess with the StartupMinMaxAvg.txt file later. So my idea was to create the report, which executes the base search on an hourly base and writes the results to the separate delta file:

    ...
    | outputtext usexml=false | fields - _raw  
    | outputcsv StartupMinMaxAvg_Delta_Last_1h.txt
    ...

What I would need then is to append the StartupMinMaxAvg_Delta_Last_1h.txt to the StartupMinMaxAvg.txt.
How would I do it the easiest way?

Kind Regards,
Kamil

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Command ouputcsv has option to append results to existing csv file:

Syntax: append=<<bool>>
Description: If append is true, the command attempts to append to an existing CSV file, if the file exists. If the CSV file does not exist, a file is created. If there is an existing file that has a CSV header already, the command only emits the fields that are referenced by that header. The command cannot append to .gz files.
Default: false

Set append=true and use same filename:

 ...
 | outputtext usexml=false | fields - _raw  
 | outputcsv append=true StartupMinMaxAvg.csv
 ...

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Command ouputcsv has option to append results to existing csv file:

Syntax: append=<<bool>>
Description: If append is true, the command attempts to append to an existing CSV file, if the file exists. If the CSV file does not exist, a file is created. If there is an existing file that has a CSV header already, the command only emits the fields that are referenced by that header. The command cannot append to .gz files.
Default: false

Set append=true and use same filename:

 ...
 | outputtext usexml=false | fields - _raw  
 | outputcsv append=true StartupMinMaxAvg.csv
 ...
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...