Splunk Search

Generate CSV every 24 hours

splunkcol
Builder

I have been asked to generate a csv with the indexed information of 1 index after 02:00 hours and that the name of the csv file that is generated has the name of the index and the date, I don't know if it can be concatenated

name csv = index_date.csv

I know the inputlookup command exists

I think it would be something like this

index = myindex | inputlookup file.csv

but I don't know how to create the complete query in such a way that it generates the file with the name I need

for example

firewall_20122020
firewall_21122020
firewall_22122020
firewall_23122020

 

Labels (1)
0 Karma

splunkcol
Builder

The query is created and after obtaining the result it is saved as a report, given a name and saved.

After saving, a pop-up window appears that allows programming at what time and how often to generate the file


index=firewall
| outputcsv [stats count | eval search=strftime(now(), "firewall-%y%m%d-%H%M%S.csv")]

splunkcol_0-1609345498114.png

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...