Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to force CSV header in export job with output_mode=csv and no matching events?

iroddis
New Member
‎11-12-2019 08:17 AM

Using the cURL/API to submit an output_mode=csv export job like this:

search .... | table fieldA fieldB

Will give a CSV payload if there are any matching events, otherwise, it will return no data at all, not even a header.

Is it possible to force the header, even if there are no matching events? I know Splunk knows what the header should be, since output_mode=xml will return the expected fields in a <fieldOrder> set.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-13-2019 04:32 PM

Why not add a fake event at the end of each search, to never return an empty table ?

search ....  | append [ | stats count | eval fieldA="null", fieldB="null" | fields - count ]  | table fieldA fieldB
0 Karma
Reply

iroddis
New Member
‎11-14-2019 06:56 AM

Thank you for the answer!

For me, your approach works, but isn't particularly scalable. I have ~ 50 queries that change frequently, and maintaining the column list in two points in the query is a bit fragile. The subsearch is also unbounded in time, so can be expensive on large indexes.

My current solution is to detect if no data was returned, then submit the query to the parsing endpoint, and extracting the fields from the reportsSearch key. It's also fairly fragile (it depends on the last command being a table), but it avoids the penalty of resubmitting the search.

Ideally Splunk would adjust things so that an output_mode=csv would return the headers always, or at least expose an option for it.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎11-14-2019 08:03 AM

Understood, if you have a support contract, you can still open an enhancement request case on the product, to request outputlookup options.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top