Getting Data In

How to export to csv the search results which used base search?

pinksqtuason
Explorer

I have a dashboard that used base searches which disabled the export button at the bottom of my panels. Is there a simple way I could use to export the results in each panels to csv?

Thanks

Tags (2)

chrabi
Loves-to-Learn Lots

Maybe for someone will be useful:[ How export to csv only 2 rows from base query]

#Workaround Export with Base Search, Post Processing.
1. IN Your dashboard xml
<search id="BASE_SEARCH_EXAMPLE">
<query>
index=_internal  sourcetype=* | fields *
</query>

2. Post Procesing query stats base on base search, show only 2 rows.
<Base Search> | stats count by source | head 2

<table>
<title>Post Processing table with 2 rows for export</title>
<search base="BASE_SEARCH_EXAMPLE">
<done>
<set token="start_query_inputlookup">| inputlookup FileForExport.csv</set>
</done>
<query>| stats count by source
| head 2
| outputlookup FileForExport.csv</query>
</search>
<option name="drilldown">none</option>
</table>

3. Hide table with query "| inputlookup FileForExport.csv" and job.sid required for export token $job_exportTocsv$.

<panel depends="$nevershow$">
<table>
<title>Hide table with import query, job.sid required for export.</title>
<search>
<done>
<set token="job_exportTocsv">$job.sid$</set>
</done>
<query>$start_query_inputlookup$</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<refreshType>delay</refreshType>
</search>
</table>
</panel>

4. Button or link required for download csv file, paste someware in dashboard.
<table>
</table>
<html>

<a target="_blank" class="btn" href="/api/search/jobs/$job_exportTocsv$/results?isDownload=true&amp;timeFormat=%25FT%25T.%25Q%25%3Az&amp;maxLines=0&amp;count=0&amp;filename=FileForExportDetails.csv&amp;outputMode=csv" role="button">Export_Data_csv</a>

</html>
</panel>

0 Karma

fsolercasanova
Explorer

Using base searches in splunk dashboards breaks the export button feature for the panels.

There are a few workarounds available depending on what your needs are. However none of them will fix the export button on the dashboard.

1) You can use the dump command to output all your search results including the events. This WONT be in CSV

2) @sudosplunk mentioned the outputlookup method; this will write every time the dashboard search is run.

3) You can open the panel in a search and export from there. If you/ the user has the proper permissions this would be the closest to actually exporting from the panel

sudosplunk
Motivator

Have a look at outputlookup command to export results. For CSV lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. Append |outputlookup file_name.csv to your search. HTH!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...