Splunk Search

Cannot put a date string into outputcsv filename argument

Path Finder

I want to run a report each hour, this report returns a single row. I want to create a separate csv file for each day, which will have 24 rows. The index is tracking iis logs, and basically the query below is calculating the percentage of total downloads taken up by a specific type of swf file (filtered by "a_action").

Originally I was trying to use the "TIME" variable in the subsearch, but I realised the subsearch was being ran first so the TIME variable didn't exist, so I changed it to another relative time. I am using relative times as the query is ran at the end of the hour, and analyses the data for the hour before, so I want the time value for the query to be the hour before it is ran. Even if I just use a "now()" call, the query still fails.

Some field values have been anonymised, where this is the case I've used the asterisk sign and capital letters.

index=iis a_app=*APP* | eventstats sum(sc_bytes) as TOTAL_BYTES | where like(a_action, "*APP*.swf") 
      | eventstats sum(sc_bytes) as SWF_BYTES | eval PERCENTAGE = SWF_BYTES/TOTAL_BYTES*100 | eval TIME=relative_time(now(),"-60m") 
      | stats values(TIME) as DATE_TIME, values(TOTAL_BYTES) as TOTAL_BYTES, values(SWF_BYTES) as SWF_BYTES, values(PERCENTAGE) as PERCENTAGE 
      | outputcsv append=true 
        [ | stats count | eval FILENAME=strftime(relative_time(now(),"-60m"),"swf_download_%d_%m_%Y") | fields FILENAME ]

So basically everything before the outputcsv function works, the subsearch in the outputcsv function should return a string such as "swf_download_14_01_2016", however the search fails, and I get the following errors:

Error in 'outputcsv' command: Invalid argument: '('
The search job has failed due to an error. You may be able view the job in the Job Inspector.

When I run the subsearch on its own it does return the correct string "swf_download_14_01_2016", so I am confused as to why this string is not returning and being used as the csv filename.

Thanks.

0 Karma
1 Solution

Path Finder

The result of your subsearch is formatted as ( ( FILENAME="swf_download_14_01_2016" ) ).

Try return $FILENAME instead of fields FILENAME.
See also:
https://answers.splunk.com/answers/85395/earliest-or-latest-time-in-outputcsv-filename.html#answer-9...

Or add | format "" "" "" "" "" "" after fields FILENAME.

View solution in original post

Path Finder

The result of your subsearch is formatted as ( ( FILENAME="swf_download_14_01_2016" ) ).

Try return $FILENAME instead of fields FILENAME.
See also:
https://answers.splunk.com/answers/85395/earliest-or-latest-time-in-outputcsv-filename.html#answer-9...

Or add | format "" "" "" "" "" "" after fields FILENAME.

View solution in original post

Path Finder

Return worked. I saw that answer earlier and forgot about the return variation as well!

Thanks a lot!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!