I have field name xyz , want to append value of this field in outputcsv filename
Something like this..
<your_search_to_get_xyz field>
|eval myCSVFile=xyz
| map search="search index=_internal| fields host,sourcetype,source|outputlookup $myCSVFile$.csv"
Above is an example.. Change it to your own searches to generate the xyz field and then apply it to the output of another search to generate outputlookup
Hi @vb1612,
Where is your field located ? Is it in an index ? Are you trying to combine fields from multiple sources ?
Official documentation for output CSV is in Splunk docs :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Outputcsv
So all you have to do is make sure your field is there before you run the outputcsv command:
index=yourindex sourcetype=yoursourcetype | fields fields_you_want_to_keep | outputcsv MyTestCsvFile
Pease provide some sample data if you want you help with your specific SPL.
Cheers,
David