How do I export the search results for multiple se...

nbharadwaj · ‎06-21-2011

I need to run many searches and consolidate all the results. Each search looks like this

.......| stats count avg(field1) avg(field2)

So the output columns are always the same, and each search will only generate one row.

How can I send the output to one single CSV file? Is there a way to append to an existing CSV file?

I can go via the Web UI or via CLI- either way is fine. Thanks!

Stephen_Sorkin · ‎06-23-2011

The most straightforward way is to use append:

... | stats count avg(field1) avg(field2) | append [search ... | stats count avg(field1) avg(field2)] | append [search ...] | ...

However, this isn't necessarily the most efficient.

Assuming that your initial search part is very simple, you can do something like:

(foo=A ...) OR (foo=B ...) OR (foo=C ...) | stats count avg(field1) avg(field2) by foo | fields - foo

Now, you may not have a field that cleanly splits the events. In that case you could use eval to synthesize one:

(<search A>) OR (<search B>) OR (<search C>) | eval foo = case(searchmatch("<search A>"), "A", ...) |  stats count avg(field1) avg(field2) by foo | fields - foo

How do I export the search results for multiple searches to a single CSV file?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?