Generate CSV every 24 hours

splunkcol · ‎12-20-2020

I have been asked to generate a csv with the indexed information of 1 index after 02:00 hours and that the name of the csv file that is generated has the name of the index and the date, I don't know if it can be concatenated

name csv = index_date.csv

I know the inputlookup command exists

I think it would be something like this

index = myindex | inputlookup file.csv

but I don't know how to create the complete query in such a way that it generates the file with the name I need

for example

firewall_20122020
firewall_21122020
firewall_22122020
firewall_23122020

splunkcol · ‎12-30-2020

The query is created and after obtaining the result it is saved as a report, given a name and saved.

After saving, a pop-up window appears that allows programming at what time and how often to generate the file

index=firewall
| outputcsv [stats count | eval search=strftime(now(), "firewall-%y%m%d-%H%M%S.csv")]

Generate CSV every 24 hours

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

Generate CSV every 24 hours

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!