Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"Export results..." output blank when using inputlookup

rtadams89
Contributor
‎09-05-2013 03:35 PM

If I perform a search for:

index=myindex | table field1, field2, field3

and then use the "Actions" menu to "Export results", I can get a csv with 3 columns and as many lines as there were events returned by the search.

On the other hand, if I run this search:

| inputlookup test.csv | table field1, field2, field3

and then attempt to "Export results", the output (csv, xml, or json) is always empty (no column headers or data). The test.csv file contains data and the search displays data within the Splunk web GUI, just nothing when attempting to export.

Both of the above search would allow me to export data when I was running 4.2.3; this problem only appears after upgrading to 5.0.4.

Any ideas what the fix is?

Reply
1 Solution
Solved! Jump to solution
Solution

rtadams89
Contributor
‎09-06-2013 09:12 AM

Looks like there was an issue with the xml views for the search app. The XML views worked in the 4.x line, but when upgraded to 5.x, the xml persisted and had the Export function referencing the events endpoint instead of the results endpoint. I went in an manually deleted the xml files from apps/search/local/data/ui/views and the problem is now fixed.

View solution in original post

Reply
Solved! Jump to solution
Solution

rtadams89
Contributor
‎09-06-2013 09:12 AM

Looks like there was an issue with the xml views for the search app. The XML views worked in the 4.x line, but when upgraded to 5.x, the xml persisted and had the Export function referencing the events endpoint instead of the results endpoint. I went in an manually deleted the xml files from apps/search/local/data/ui/views and the problem is now fixed.

Reply
Solved! Jump to solution

rtadams89
Contributor
‎09-05-2013 04:34 PM

Additional info: It appears this may be a problem with Splunk exporting data when there are no "events" (such as when using the inputlookup command). Again, this has only been happening since the upgrade from the 4.2.x line to the 5.0.x line.

I'm not able to reproduce the issue with a fresh 5.0.4 error, so I assume this is a configuration error. Looking through the logs in _internal I don't see any obvious errors (what should I be looking for for csv export errors?).

0 Karma
Reply
Solved! Jump to solution

rturk
Builder
‎09-05-2013 04:29 PM

Hi Rtadams89,

I've just tested in 5.0.1 & 5.0.4 and am unable to replicate the issue you are reporting. The only thing that I can see wrong with what you have described is a missing pipe character at the start of your second command:

| inputlookup test.csv | table field1, field2, field3
Reply
Solved! Jump to solution

rtadams89
Contributor
‎09-05-2013 04:31 PM

Sorry, that was a typo in my original post. In my testing, I DO have a leading pipe.

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Top