Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there a way to export results to multiple CSVs ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
08:31 AM
I have a search that returns around 60,000 results in a straight table format:
field1, field2
I need to export this via CSV to another system, that only accepts 1000 lines per CSV.
Is there a way to export these results to multiple CSV's, capped at 1000 events per CSV?
example:
results1.csv (1-1000)
results2.csv (1001-2000)
resultsn.csv (n...)
Note: I cannot split based upon time, as we are running a daily stats, then de-duping these results, before export.
I am also trying to avoid running multiple searches for each 1000 events!
Thanks all!!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-12-2016
09:30 AM
Try something like this
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map search="search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$ "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-12-2016
09:30 AM
Try something like this
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map search="search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$ "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
10:03 AM
Nice, I was playing with the eval command but in a different approach. Very nice!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
junshi
Explorer
01-12-2016
10:46 AM
Tweaked your search:
| gentimes start=-1 | eval sno=mvrange(0,60) | table sno | mvexpand sno | eval from=sno*1000+1 | eval to=(sno+1)*1000 | map [search your search to export | eval sno=1 | accum sno | where sno>=$from$ AND sno<=$to$ | fields - sno | outputcsv Result.$from$"-".$to$]
This seems to work, thanks again!
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)
Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...
Index This | I am a number but I am countless. What am I?
January 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
Happy New Year! We’re ...
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
PLATFORM TECH TALKS
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
Thursday, February 27, ...
