Splunk Search

Download results a CVS file properly with column values instead of rows!

andres91302
Communicator

hello guys.. I am having a HUGE trouble when downloading my results as a CVS file.

this is my query

| search ....
| table A B C

I see on Splunk that the results are shown as 3 colummns with its values in vertical fashion... like this

ABC
159
267
3810



but when I download these results as a cvs file and I open it The results are shown in this weird manner:


    (IN THE FIRST row which is ok)     A,B,C                                                                   
               ( the second row)                     1 2 3 4 5 67 9 7 10

which is not ok... can someone please help me thank you so much!!!!!! so so much

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Are you sure that those values are individual. Based on your CSV export it seems to be one row with three elements which are multivalve elements not there rows with single values in each element.

r. Ismo

0 Karma

andres91302
Communicator
Hi @isoutamo thank you for taking the time to reply--- yes they are in fact one row with multivalues, is there a way to have this three columns shown or downloaded as a table format where eache value is stored in in cell? for further reference my results come from the following commands: | makemv delim="," ID_SUGGAR | makemv delim="," ID_DOUBLE | eval IDS=mvmap(ID_SUGGAR,if(isnull(mvfind(ID_DOUBLE,ID_SUGGAR)),ID_SUGGAR,null())) thank you much sir
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi 

You could try like this

| makeresults 
| eval A = "1,5,9", B = "2,6,7", C = "3,8,10" 
| makemv delim="," A 
| makemv delim="," B 
| makemv delim="," C
    ```Prepare example data```
| eval foo = mvzip(A,mvzip(B,C))
| fields foo
| mvexpand foo
| makemv delim="," foo
| eval A = mvindex(foo, 0), B = mvindex(foo, 1), C=mvindex(foo,2)
| fields - foo

r. Ismo 

0 Karma

493669
Super Champion

@andres91302 
Please try opening downloaded csv file in Microsoft excel to see results in tabular format.


If this reply helps an upvote will be appreciated!

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...