Splunk Search

Is it possible to export select fields to a CSV using the outputcsv command?

nick405060
Motivator

I need to be able to take my data, export some of the fields to a CSV, and then use the rest of the data in the rest of my search. Unfortunately, the outputcsv command will only output all of your fields, and if you select the fields you want to output before using outputcsv, then the command erases your other fields.

Pseudocode:

... | table a b c d e f | outputcsv a b c "mycsv.csv" | table d e f

... where a b c are outputted to the CSV, and d e f are used afterwards in the search.

Tags (3)
0 Karma
1 Solution

nick405060
Motivator

Thanks to @martin_muller for answering this question on Slack! This was his suggestion and should work for most people viewing this question. (Your outputcsv command needs to go where export is)

martin_mueller [1:46 PM]
| appendpipe [fields foo bar | export | where false()] | ...

However, I didn't mention in the original question that there's an added snag in my case. I'm actually taking my data, appending part of it to an inputted csv, updating that csv, and then continuing to use the original data. So, I had to "back up" each field before the appending, use Martin's solution to output, and then revert my fields to continue on with my search.

... | eval a_=a | eval b_=b | eval c_=c
| append [| inputcsv "alerts.csv"] | appendpipe [fields a b c | outputcsv "alerts.csv" | where false()]
| eval a=a_ | eval b=b_ | eval c=c_

If anyone is wondering what I am actually trying to accomplish here, I want to log each alert that Splunk generates in an aggregate csv file but also send out that alert individually in an email. I used this solution to do so.

EDIT: There's probably a way to just have my alert, and then at the end of it do a hidden subsearch that both appends the alert to the csv and updates it without affecting the email that goes out. I don't know how to do that.

EDIT 2: After all this work I remembered that there's an "Output results to lookup - APPEND" option for alerts in Splunk 7. I hate my life. I'll leave this up since the original question is actually helpful.

View solution in original post

0 Karma

nick405060
Motivator

Thanks to @martin_muller for answering this question on Slack! This was his suggestion and should work for most people viewing this question. (Your outputcsv command needs to go where export is)

martin_mueller [1:46 PM]
| appendpipe [fields foo bar | export | where false()] | ...

However, I didn't mention in the original question that there's an added snag in my case. I'm actually taking my data, appending part of it to an inputted csv, updating that csv, and then continuing to use the original data. So, I had to "back up" each field before the appending, use Martin's solution to output, and then revert my fields to continue on with my search.

... | eval a_=a | eval b_=b | eval c_=c
| append [| inputcsv "alerts.csv"] | appendpipe [fields a b c | outputcsv "alerts.csv" | where false()]
| eval a=a_ | eval b=b_ | eval c=c_

If anyone is wondering what I am actually trying to accomplish here, I want to log each alert that Splunk generates in an aggregate csv file but also send out that alert individually in an email. I used this solution to do so.

EDIT: There's probably a way to just have my alert, and then at the end of it do a hidden subsearch that both appends the alert to the csv and updates it without affecting the email that goes out. I don't know how to do that.

EDIT 2: After all this work I remembered that there's an "Output results to lookup - APPEND" option for alerts in Splunk 7. I hate my life. I'll leave this up since the original question is actually helpful.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...