- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Can I get outputcsv to not quote
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I get outputcsv to not quote
Hello
I know this has been asked before but I retied the solution and still getting the same results.
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-" | dedup ticketId | rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)" | eval foo="\"feeAdjustmentAmount\"" | eval boo=trim(foo, "\"") | table ticketId, boo | rename boo AS feeAdjustmentAmount
I'm sure I'm just doing something incorrectly. Its the foo eval that I don't have right.
The feeAdjustmentAmount is monetary so it will be digits.2decimals like 24.50 with no quotes in the log.
Right now, of course, the search above returns results like:
ticketId feeAdjustmentAmount
(purposelyMasked) feeAdjustmentAmount
Can you tell me when I outputcsv, how can I get it to exclude quotes. We use the csv to push to a webpage so fixing format is important.
Thank a bunch!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you putting the quotes there in the first place? just use
| eval foo=feeAdjustmentAmount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK yes, that was incorrect. I removed that and used:
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-" | dedup ticketId | rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)" | eval foo=feeAdjustmentAmount | eval boo=trim(foo, "\"") | table ticketId, boo | rename boo AS feeAdjustmentAmount | outputcsv empdiscount
but the csv is still formatted
ticketId,feeAdjustmentAmount
(purposelyMasked),"15.01"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this -
index=java host=*myhost* name=transactional *USEmployeeUserGrpDiscountRule* "[amount=-"
| dedup ticketId
| rex field=_raw "\[amount=-(?<feeAdjustmentAmount>\d*\.\d*)"
| eval feeAdjustmentAmount = tonumber(feeAdjustmentAmount)
| table ticketId, feeAdjustmentAmount
| outputcsv empdiscount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the results from that
[me@myhost ~]# cat empdiscount.csv
ticketId,feeAdjustmentAmount
(purposelymasked),"6.00"
(purposelymasked),"12.00"
(purposelymasked),"15.01"
(purposelymasked),"11.73"
Still quoted
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
