Solved: outputcsv: How to include the current Splunk user ...

remnant_8 · ‎05-16-2016

I want output csv like this "splunkuserid_data.csv" automatically. For example:
admin_17_05_16_09_07_58.csv
I tried this search:

my search | outputcsv [| stats count | addinfo | eval filename=strftime(now(), "filename_%d_%m_%y_%H_%M_%S") | return $filename ]

I know how to get get the current Splunk user id with |rest /services/authentication/current-context splunk_server=local | fields username, but I don't know how to include the Splunk user id in the CSV file name

Does anyone have an idea?

remnant_8 · ‎05-18-2016

I used SPL like this 🙂

my search | outputcsv  [ | rest /services/authentication/current-context splunk_server=local | eval time=strftime(now(), "%Y_%m_%d_%H_%M_%S") | fields username time | eval csvnm = toString(username) + "_" +toString(time) | return $csvnm]

View solution in original post

remnant_8 · ‎05-18-2016

I used SPL like this 🙂

my search | outputcsv  [ | rest /services/authentication/current-context splunk_server=local | eval time=strftime(now(), "%Y_%m_%d_%H_%M_%S") | fields username time | eval csvnm = toString(username) + "_" +toString(time) | return $csvnm]

outputcsv: How to include the current Splunk user ID and date in the CSV file name? (ex: splunkuserid_date.csv)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms