Re: outputcsv - append field value in filename

vb1612 · ‎05-25-2019

I have field name xyz , want to append value of this field in outputcsv filename

koshyk · ‎05-26-2019

Something like this..

<your_search_to_get_xyz field>
|eval myCSVFile=xyz
| map search="search index=_internal| fields host,sourcetype,source|outputlookup $myCSVFile$.csv"

Above is an example.. Change it to your own searches to generate the xyz field and then apply it to the output of another search to generate outputlookup

DavidHourani · ‎05-26-2019

Hi @vb1612,

Where is your field located ? Is it in an index ? Are you trying to combine fields from multiple sources ?

Official documentation for output CSV is in Splunk docs :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Outputcsv

So all you have to do is make sure your field is there before you run the outputcsv command:

index=yourindex sourcetype=yoursourcetype | fields fields_you_want_to_keep | outputcsv MyTestCsvFile

Pease provide some sample data if you want you help with your specific SPL.

Cheers,
David

outputcsv - append field value in filename

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation