Solved: Export from counttable broken

timbCFCA · ‎08-09-2012

I have a pretty basic query which generates a large (several hundred by several hundred) table.

 host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name

I need to export this resulting table to a CSV. This function is apparently known to be broken based on some of the other answers I've seen. I'm only receiving the first column of output. Is there a ready way to do what I need?

dmaislin_splunk · ‎08-09-2012

So can't you just run

host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name | outputcsv myfile

Then the results are written to: '$SPLUNK_HOME/var/run/splunk/myfile.csv'

View solution in original post

dmaislin_splunk · ‎08-09-2012

So can't you just run

host=XX OR host=YY print evtid="10" splunk_server="ami" | counttable evtuser, Printer_Name | outputcsv myfile

Then the results are written to: '$SPLUNK_HOME/var/run/splunk/myfile.csv'

dmaislin_splunk · ‎08-09-2012

Never used that command before, so this command aye?

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Contingency

timbCFCA · ‎08-09-2012

@dmaislin_splunk - I'm rendering a count table in Splunk. I want to save this table to my local drive.

dmaislin_splunk · ‎08-09-2012

Did you mean outputcsv

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Outputcsv

Export from counttable broken

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation