Solved: Export from counttable broken

timbCFCA · ‎08-09-2012

I have a pretty basic query which generates a large (several hundred by several hundred) table.

 host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name

I need to export this resulting table to a CSV. This function is apparently known to be broken based on some of the other answers I've seen. I'm only receiving the first column of output. Is there a ready way to do what I need?

dmaislin_splunk · ‎08-09-2012

So can't you just run

host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name | outputcsv myfile

Then the results are written to: '$SPLUNK_HOME/var/run/splunk/myfile.csv'

View solution in original post

dmaislin_splunk · ‎08-09-2012

So can't you just run

host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name | outputcsv myfile

Then the results are written to: '$SPLUNK_HOME/var/run/splunk/myfile.csv'

dmaislin_splunk · ‎08-09-2012

Never used that command before, so this command aye?

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Contingency

timbCFCA · ‎08-09-2012

@dmaislin_splunk - I'm rendering a count table in Splunk. I want to save this table to my local drive.

dmaislin_splunk · ‎08-09-2012

Did you mean outputcsv

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputcsv

Export from counttable broken

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann