Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export results of timechart into CSV or other format

myudkowsky
Communicator
‎10-11-2012 06:17 AM

I've created a search that counts each value of "nlist" in a particular timeframe:

nodelist | rex field=_raw "nodelist \"\"(?<nlist>[0-9 ]*)" |fields + nlist | timechart count(nlist) BY nlist

This produces exactly the table I need. When I attempt to export these results into a CSV, JSON, or XML file -- using the drop-down "Actions"->"Export results..." I do get a file downloaded to my local machine; but that file contains only the _time field.

What I believe is happening here is that even though I'm in table view and can see count(nlist) BY nlist, the export happens on the eventlist (and doesn't even include the nlist even though I've included it explicitly by use of "fields").

  1. Can "export results" be used to export this kind of information, namely counts and values?
  2. If so, what am I doing wrong?

NOTE: I do not have access to the Splunk server, so "exportcsv" is not an option for me. I can only use Actions->Export Results to get data off the server.

Tags (2)
0 Karma
Reply

bmacias84
Champion
‎10-19-2012 11:35 AM

It looks like you just want to counts over a time span by nlist . To accomplish this use the bucket command. 



mysearch | bucket _time span=5m | nodelist | rex field=_raw "nodelist \"\"(?[0-9 ]*)" |fields + nlist | stats count(nlist) as list_count by _time, nlist

Change span to interval you want counts for. This should fix your export problem. Hope this helps or give you an idea.

0 Karma
Reply

myudkowsky
Communicator
‎10-22-2012 05:33 AM

Hi, thanks for the idea, I will give it a try and come back and let you know.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-19-2012 07:46 AM

The app also works on 4.x. Is it possible for you to upgrade to 4.x?

0 Karma
Reply

myudkowsky
Communicator
‎10-14-2012 05:40 AM

Thanks for the idea for alternative access. Unfortunately, as noted above, I don't have access to the internals of the Splunk server, and we're on Splunk 3.x while this solution is shown as 5.x.

0 Karma
Reply

Neeraj_Luthra
Splunk Employee
Splunk Employee
‎10-12-2012 11:49 PM

If you have PowerPivot installed in Excel, you can also try the OData app (http://splunk-base.splunk.com/apps/58162/odata-for-splunk) to pull Saved Search data from Splunk into Excel.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...