I need to run a scheduled search to export some logs every certain amount of time. The search I am using is this:
outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt
The problem is that each time the search runs, results.txt gets overridden. I would like to automatically append the time and date to the name of the file Eg. results3-2-1212-00.txt
Is this possible?
Thanks in advance.
You can do this through some subsearch ugliness (or beauty, I guess it's in the eye of the beholder 🙂 )
Subsearches work much like backticks in most UNIX shells, i.e. they run first of all and then return their results back to the outer query. You can put a subsearch anywhere in your search pipeline, including after
outputcsv. By default however, a subsearch returns a string that is formatted for being used by the search command. You can change this behaviour by calling
format (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format) to make sure the formatting suits your purposes.
The idea here would be to create a dynamic value for the filename in the subsearch, then return that filename to
... | outputcsv [search * | head 1 | eval query="results_".strftime(now(),"%d_%m_%y_%H_%M_%S") | fields query | format "" "" "" "" "" ""]
I don't know your level of Splunk-foo so let me know if you want more explanation on the internal workings of the search. I used now() as a method for getting the date/time that shoul be used when naming the results file - you might want to use another time, but if the current time is OK, just use now().
Thanks a lot for your response Ayn.
I tried your suggestion, but I am getting the following error:
This search cannot be parsed when parse_only is set to true
What is the reason for this error?
I don't think that's an actual search error (I'm getting it as well), it's just a message from the search assistant that is used for helping you in some situations with the text you enter into the search field.
Wonderful!! 🙂 Thanks a lot for that, it works very well.
The only issue I have is that when the file is outputted, each log line is enclosed in double quotes.
Do you know the reason for that?
This is the command I am using:
source="10.70.22.80:10514"|outputtext usexml=false | rename xml as raw | fields raw | fields - _* | outputcsv [search * | head 1 | eval query="results".strftime(now(),"%d%m%y%H%M_%S").".txt" | fields query | format "" "" "" "" "" ""]
You see anything wrong?