How to export daily dataset to csv file?

Rayees · ‎12-01-2022

Hi,

I need a help in creating a daily csv export to a file from a data set for 24 hrs . I have a data set under Search & Reporting >>Datasets >>my dump report. now when i click on the my dump report it gives me report for any specific condition / time / period what ever i like and then i am able to download the same as csv file . I need help to create a daily automatic job of the same so that after every 24 hrs ( each day from 00:00:00 hrs to 23:59:00 hrs ) the report is created and saved / exported to a specific folder / disk with date_Month_year wise folder / file . Kindly help me / guide me for the same . i am trying on splunk installed on windows.

Rayees · ‎12-18-2022

Hi Sir,

Greetings . Thanks for help . As i am very new to Splunk so i was not able to figure out the solution you shared though i read the documentation shared by you . I need more help in creating this solution to get the desired output . Regarding moving the csv file from Splunk Base that i can handle. Can you help me further in this regard.

Regards

Rayees

Hi Sir,

Greetings . Thanks for help . As i am very new to Splunk so i was not able to figure out the solution you shared though i read the documentation shared by you . I need more help in creating this solution to get the desired output . Regarding moving the csv file from Splunk Base that i can handle. Can you help me further in this regard. I have attached the screen shots.

Regards

Rayees

Add tags

gcusello · ‎12-01-2022

Hi @Rayees,

you should modify your search adding the outputcsv command at the end of your search (https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Outputcsv) and create an alert using this search.

The only problem is that the csv can be saved in a fixed (and not configurable) folder: $SPLUNK_HOME\var\run\splunk\csv

This means that you have also to create a script that mopves the csv in the desidered folder.

Ciao.

Giuseppe

Rayees · ‎12-18-2022

Hi Sir,

Greetings . Thanks for help . As i am very new to Splunk so i was not able to figure out the solution you shared though i read the documentation shared by you . I need more help in creating this solution to get the desired output . Regarding moving the csv file from Splunk Base that i can handle. Can you help me further in this regard.

Regards

Rayees

gcusello · ‎12-18-2022

Hi @Rayees ,

I don't know your search, but if it' something like this:

<your_search>
| timechart span=1h count BY host

you have to add the outputcsv at the end of your search:

<your_search> earliest=-24h@h latest=@h
| timechart span=1h count BY host
| outputcsv your_csv_file.csv

and save it as an alert scheduled e.g. at 1 AM in [Save As > Alert > Run every day > Run at 1.00 > Save]

In this way you'll have the file in the $SPLUNK_HOME\var\run\splunk\csv folder, so you can schedule a shell script to move it in another folder.

Ciao.

Giuseppe

gcusello · ‎12-18-2022

Hi @Rayees,

if this answer solves your need, please accept it for the other people of Community or tell me how I can help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

How to export daily dataset to csv file?

saved search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?