Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- "Export results..." output blank when using inputl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I perform a search for:
index=myindex | table field1, field2, field3
and then use the "Actions" menu to "Export results", I can get a csv with 3 columns and as many lines as there were events returned by the search.
On the other hand, if I run this search:
| inputlookup test.csv | table field1, field2, field3
and then attempt to "Export results", the output (csv, xml, or json) is always empty (no column headers or data). The test.csv file contains data and the search displays data within the Splunk web GUI, just nothing when attempting to export.
Both of the above search would allow me to export data when I was running 4.2.3; this problem only appears after upgrading to 5.0.4.
Any ideas what the fix is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like there was an issue with the xml views for the search app. The XML views worked in the 4.x line, but when upgraded to 5.x, the xml persisted and had the Export function referencing the events endpoint instead of the results endpoint. I went in an manually deleted the xml files from apps/search/local/data/ui/views and the problem is now fixed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like there was an issue with the xml views for the search app. The XML views worked in the 4.x line, but when upgraded to 5.x, the xml persisted and had the Export function referencing the events endpoint instead of the results endpoint. I went in an manually deleted the xml files from apps/search/local/data/ui/views and the problem is now fixed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional info: It appears this may be a problem with Splunk exporting data when there are no "events" (such as when using the inputlookup command). Again, this has only been happening since the upgrade from the 4.2.x line to the 5.0.x line.
I'm not able to reproduce the issue with a fresh 5.0.4 error, so I assume this is a configuration error. Looking through the logs in _internal I don't see any obvious errors (what should I be looking for for csv export errors?).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rtadams89,
I've just tested in 5.0.1 & 5.0.4 and am unable to replicate the issue you are reporting. The only thing that I can see wrong with what you have described is a missing pipe character at the start of your second command:
| inputlookup test.csv | table field1, field2, field3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, that was a typo in my original post. In my testing, I DO have a leading pipe.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
