Solved: outputcsv: How to include the current Splunk user ...

remnant_8 · ‎05-16-2016

I want output csv like this "splunkuserid_data.csv" automatically. For example:
admin_17_05_16_09_07_58.csv
I tried this search:

my search | outputcsv [| stats count | addinfo | eval filename=strftime(now(), "filename_%d_%m_%y_%H_%M_%S") | return $filename ]

I know how to get get the current Splunk user id with |rest /services/authentication/current-context splunk_server=local | fields username, but I don't know how to include the Splunk user id in the CSV file name

Does anyone have an idea?

remnant_8 · ‎05-18-2016

I used SPL like this 🙂

my search | outputcsv  [ | rest /services/authentication/current-context splunk_server=local | eval time=strftime(now(), "%Y_%m_%d_%H_%M_%S") | fields username time | eval csvnm = toString(username) + "_" +toString(time) | return $csvnm]

View solution in original post

remnant_8 · ‎05-18-2016

I used SPL like this 🙂

my search | outputcsv  [ | rest /services/authentication/current-context splunk_server=local | eval time=strftime(now(), "%Y_%m_%d_%H_%M_%S") | fields username time | eval csvnm = toString(username) + "_" +toString(time) | return $csvnm]

outputcsv: How to include the current Splunk user ID and date in the CSV file name? (ex: splunkuserid_date.csv)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation