Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export results of timechart into CSV or other format

myudkowsky
Communicator
‎10-11-2012 06:17 AM

I've created a search that counts each value of "nlist" in a particular timeframe:

nodelist | rex field=_raw "nodelist \"\"(?<nlist>[0-9 ]*)" |fields + nlist | timechart count(nlist) BY nlist

This produces exactly the table I need. When I attempt to export these results into a CSV, JSON, or XML file -- using the drop-down "Actions"->"Export results..." I do get a file downloaded to my local machine; but that file contains only the _time field.

What I believe is happening here is that even though I'm in table view and can see count(nlist) BY nlist, the export happens on the eventlist (and doesn't even include the nlist even though I've included it explicitly by use of "fields").

  1. Can "export results" be used to export this kind of information, namely counts and values?
  2. If so, what am I doing wrong?

NOTE: I do not have access to the Splunk server, so "exportcsv" is not an option for me. I can only use Actions->Export Results to get data off the server.

Tags (2)
0 Karma
Reply

bmacias84
Champion
‎10-19-2012 11:35 AM

It looks like you just want to counts over a time span by nlist . To accomplish this use the bucket command. 



mysearch | bucket _time span=5m | nodelist | rex field=_raw "nodelist \"\"(?[0-9 ]*)" |fields + nlist | stats count(nlist) as list_count by _time, nlist

Change span to interval you want counts for. This should fix your export problem. Hope this helps or give you an idea.

0 Karma
Reply

myudkowsky
Communicator
‎10-22-2012 05:33 AM

Hi, thanks for the idea, I will give it a try and come back and let you know.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-19-2012 07:46 AM

The app also works on 4.x. Is it possible for you to upgrade to 4.x?

0 Karma
Reply

myudkowsky
Communicator
‎10-14-2012 05:40 AM

Thanks for the idea for alternative access. Unfortunately, as noted above, I don't have access to the internals of the Splunk server, and we're on Splunk 3.x while this solution is shown as 5.x.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-12-2012 11:49 PM

If you have PowerPivot installed in Excel, you can also try the OData app (http://splunk-base.splunk.com/apps/58162/odata-for-splunk) to pull Saved Search data from Splunk into Excel.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...