Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to force CSV header in export job with output_mode=csv and no matching events?

iroddis
New Member
‎11-12-2019 08:17 AM

Using the cURL/API to submit an output_mode=csv export job like this:

search .... | table fieldA fieldB

Will give a CSV payload if there are any matching events, otherwise, it will return no data at all, not even a header.

Is it possible to force the header, even if there are no matching events? I know Splunk knows what the header should be, since output_mode=xml will return the expected fields in a <fieldOrder> set.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-13-2019 04:32 PM

Why not add a fake event at the end of each search, to never return an empty table ?

search ....  | append [ | stats count | eval fieldA="null", fieldB="null" | fields - count ]  | table fieldA fieldB
0 Karma
Reply

iroddis
New Member
‎11-14-2019 06:56 AM

Thank you for the answer!

For me, your approach works, but isn't particularly scalable. I have ~ 50 queries that change frequently, and maintaining the column list in two points in the query is a bit fragile. The subsearch is also unbounded in time, so can be expensive on large indexes.

My current solution is to detect if no data was returned, then submit the query to the parsing endpoint, and extracting the fields from the reportsSearch key. It's also fairly fragile (it depends on the last command being a table), but it avoids the penalty of resubmitting the search.

Ideally Splunk would adjust things so that an output_mode=csv would return the headers always, or at least expose an option for it.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-14-2019 08:03 AM

Understood, if you have a support contract, you can still open an enhancement request case on the product, to request outputlookup options.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...