Getting Data In

Missing columns when exporting to CSV

rhysjones
Path Finder

Hello,

I have a search that returns 3 columns of data allowing us to check the first logon of the day (or last logoff of the dat) for accounts. (see below). The issue is that when we go to Export to CSV when logged on as a limited access user, we only get the first 2 columns. So, we list Date, UserName, and Time, and in the export we only get Date and UserName. If we go in as the admin user we get all 3 columns correctly. I am not sure what permissions options would be required to add that extra column.

We currently use v4.1.3 but are planning to upgrade.

sourcetype=WinEventLog:Security eventtype=winlogon | bucket span=1h _time AS tb | convert timeformat="%d/%m/%Y" ctime(tb) AS Date | stats min(_time) AS mt by Date,User_Name | convert mktime(mt) | convert timeformat="%H:%M:%S" ctime(mt) AS "Logon Time" |dedup Date keepevents=t | fields - mt

Thanks for any thoughts on this !

Rhys

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)

It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).

View solution in original post

0 Karma

shresthas
New Member

When I am doing export search using java sdk, I am missing columns when I running this query.

search sourcetype=sourcetype_1 OR (sourcetype=sourcetype_2 NOT (Session_Duration="Session Duration"))|rex field=sourcetype "(?[^\W]+)(?[^_\W]+)" |eval client_ip_address = Client_Address|eval Document_Session_Duration = Session_Duration| eval Message=replace(Message, ",","-")| eval Document=replace(Document, ",","-")| iplocation client_ip_address|table Timestamp,User,Document,Message,Document_Session_Duration,server_type, source_log_type, host, client_ip_address, City, Country

what gives ? I am using splunk 6.1.1

0 Karma

rhysjones
Path Finder

I can now confirm that adding an "_" in the column name (removing the blank space) resolves the problem. Thanks gkanapathy.

0 Karma

rhysjones
Path Finder

Yes, thats correct, all columns are visible on screen. This is only a problem for the limited access user when using the Action / Export feature in the WEB GUI. I'll try the suggestion below regarding spaces in the field name and see if that helps. Thankyou.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

There are problems in 4.1.3 and earlier when you have field names that have a space in them and you perform an export from the Web GUI. (Bug SPL-30825)

It should have been fixed as of 4.1.4. Note the the outputcsv command is not subject to this problem. You should also be able to work around this by changing your column name "Logon Time" to "Logon_Time" (or "LogonTime" or whatever).

View solution in original post

0 Karma

rhysjones
Path Finder

I am actually going to be away for a few weeks so I'll have to give this a go when I return. THankyou for the feedback !

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Can't blame you. It's a bug.

0 Karma

rhysjones
Path Finder

Thankyou. I'll give that a try. Didn't occur to me to look at spaces in the names ! Thanks again.

0 Karma

southeringtonp
Motivator

Just to clarify - when the limited access user runs the query interactively, are all of the columns available? They're only missing when you actually do the export?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!