- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
08:31 AM
I have a search that returns around 60,000 results in a straight table format:
field1, field2
I need to export this via CSV to another system, that only accepts 1000 lines per CSV.
Is there a way to export these results to multiple CSV's, capped at 1000 events per CSV?
example:
results1.csv (1-1000)
results2.csv (1001-2000)
resultsn.csv (n...)
Note: I cannot split based upon time, as we are running a daily stats, then de-duping these results, before export.
I am also trying to avoid running multiple searches for each 1000 events!
Thanks all!!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
somesoni2
Revered Legend
01-12-2016
09:30 AM
Try something like this
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map search="search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$ "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
somesoni2
Revered Legend
01-12-2016
09:30 AM
Try something like this
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map search="search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$ "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
10:03 AM
Nice, I was playing with the eval command but in a different approach. Very nice!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
10:46 AM
Tweaked your search:
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map [search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$]
This seems to work, thanks again!
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)