Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a field to an event to verify when it has been output to a csv.

awedmondson
Explorer
‎11-11-2015 07:11 AM

Is it possible to add a field to an event to verify when it has been output to a csv? Once I have completed a search, and outputted the results to a CSV file. This is to verify that it has been sent, and not sent again if the search is run again. Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-11-2015 08:19 AM

If I understand you correctly, you would like to have a single scheduled search that works like this: If there already is a CSV file, then do nothing; otherwise, create the file. If so, try something like this:

| inputcsv YourFileName.csv | stats count AS doesFileExistAlready | addinfo | eval earliestMaybe=if((doesFileExistAlready==0), info_min_time, now()) | map search="search earliest=$earliestMaybe$ latest=$info_max_time$ YOUR SEARCH HERE | outputcsv YourFileName.csv"

If the file already exists (and has at least 1 event/row), the search will generate an error and abort, leaving the file as-is; if it does not exist, it will get created.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-11-2015 08:19 AM

If I understand you correctly, you would like to have a single scheduled search that works like this: If there already is a CSV file, then do nothing; otherwise, create the file. If so, try something like this:

| inputcsv YourFileName.csv | stats count AS doesFileExistAlready | addinfo | eval earliestMaybe=if((doesFileExistAlready==0), info_min_time, now()) | map search="search earliest=$earliestMaybe$ latest=$info_max_time$ YOUR SEARCH HERE | outputcsv YourFileName.csv"

If the file already exists (and has at least 1 event/row), the search will generate an error and abort, leaving the file as-is; if it does not exist, it will get created.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-15-2015 12:12 PM

Given this clarification:

The scheduled search runs, and a time stamped output csv file is created (DMY-HMS.csv). Say for example that new events arrive into Splunk , and the search runs again, I only want new events sent to a new csv file, I don't want the events included that were csv'ed earlier.

Then like this:

Your Search Here NOT [| inputcsv YourFileName.csv] | Your Stuff Here | outputcsv YourFileName.csv
0 Karma
Reply
Solved! Jump to solution

awedmondson
Explorer
‎11-16-2015 12:59 AM

Interesting idea, Thanks. Do you know if it is possible to actually add a field to the events called "sent" with a timestamp of when the output csv was created? This would allow to only create the output csv based events that have not been sent already.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-16-2015 01:58 PM

Sure, just add this somewhere:

... | eval sent=now() ...
0 Karma
Reply
Solved! Jump to solution

awedmondson
Explorer
‎11-17-2015 02:29 PM

Thank you for your help, much appreciated.

0 Karma
Reply
Solved! Jump to solution

awedmondson
Explorer
‎11-15-2015 09:05 AM

Hi, Thank you for your reply. I didn't explain clearly. The scheduled search runs, and a time stamped output csv file is created (DMY-HMS.csv). Say for example that new events arrive into Splunk , and the search runs again, I only want new events sent to a new csv file, I don't want the events included that were csv'ed earlier.

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...