Getting Data In

/services/search/jobs/export ignores required fields in CSV

aperepel
Engager

The doc for the /jobs/export mentions the 'rf' parameter (v5.0.2). However, it is ignored by the REST endpoint. E.g. for this URL: https://example.com/services/search/jobs/export?search=search+*+index%3D%22somename%22++%7C+head+50&...

I expect it to return an event_code field, but it just dumps raw set of meta fields (host, time, _raw, etc.). NONE of the actual extracted fields which work great in the UI.

How can I set up the CSV export to contain only the fields I want?

Tags (4)
0 Karma
1 Solution

aperepel
Engager

I think I made progress. The API is very very picky as to the order of piped commands...

After many many permutations this got me somewhere:

search * | head 10 | table _time,mycolumn1,event_code,from_ip,from_port

The CSV output is still not honoring the field order (I did try to pipe it to the 'fields' command, which didn't affect CSV output still). So, _time column is somewhere in the middle of the output, and not the first one. I'll try reformatting it, maybe it will agree to behave better when treated as a custom field 🙂

Another issue is the string values for columns are wrapped in double quotes, which seems really redundant when there's no need for that at all (e.g. simple values).

View solution in original post

0 Karma

aperepel
Engager

I think I made progress. The API is very very picky as to the order of piped commands...

After many many permutations this got me somewhere:

search * | head 10 | table _time,mycolumn1,event_code,from_ip,from_port

The CSV output is still not honoring the field order (I did try to pipe it to the 'fields' command, which didn't affect CSV output still). So, _time column is somewhere in the middle of the output, and not the first one. I'll try reformatting it, maybe it will agree to behave better when treated as a custom field 🙂

Another issue is the string values for columns are wrapped in double quotes, which seems really redundant when there's no need for that at all (e.g. simple values).

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...