Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Export results of timechart into CSV or other format

myudkowsky
Communicator
‎10-11-2012 06:17 AM

I've created a search that counts each value of "nlist" in a particular timeframe:

nodelist | rex field=_raw "nodelist \"\"(?<nlist>[0-9 ]*)" |fields + nlist | timechart count(nlist) BY nlist

This produces exactly the table I need. When I attempt to export these results into a CSV, JSON, or XML file -- using the drop-down "Actions"->"Export results..." I do get a file downloaded to my local machine; but that file contains only the _time field.

What I believe is happening here is that even though I'm in table view and can see count(nlist) BY nlist, the export happens on the eventlist (and doesn't even include the nlist even though I've included it explicitly by use of "fields").

  1. Can "export results" be used to export this kind of information, namely counts and values?
  2. If so, what am I doing wrong?

NOTE: I do not have access to the Splunk server, so "exportcsv" is not an option for me. I can only use Actions->Export Results to get data off the server.

Tags (2)
0 Karma
Reply

bmacias84
Champion
‎10-19-2012 11:35 AM

It looks like you just want to counts over a time span by nlist . To accomplish this use the bucket command. 



mysearch | bucket _time span=5m | nodelist | rex field=_raw "nodelist \"\"(?[0-9 ]*)" |fields + nlist | stats count(nlist) as list_count by _time, nlist

Change span to interval you want counts for. This should fix your export problem. Hope this helps or give you an idea.

0 Karma
Reply

myudkowsky
Communicator
‎10-22-2012 05:33 AM

Hi, thanks for the idea, I will give it a try and come back and let you know.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-19-2012 07:46 AM

The app also works on 4.x. Is it possible for you to upgrade to 4.x?

0 Karma
Reply

myudkowsky
Communicator
‎10-14-2012 05:40 AM

Thanks for the idea for alternative access. Unfortunately, as noted above, I don't have access to the internals of the Splunk server, and we're on Splunk 3.x while this solution is shown as 5.x.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-12-2012 11:49 PM

If you have PowerPivot installed in Excel, you can also try the OData app (http://splunk-base.splunk.com/apps/58162/odata-for-splunk) to pull Saved Search data from Splunk into Excel.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...