Splunk Search
Highlighted

Is it possible to export select fields to a CSV using the outputcsv command?

Motivator

I need to be able to take my data, export some of the fields to a CSV, and then use the rest of the data in the rest of my search. Unfortunately, the outputcsv command will only output all of your fields, and if you select the fields you want to output before using outputcsv, then the command erases your other fields.

Pseudocode:

... | table a b c d e f | outputcsv a b c "mycsv.csv" | table d e f

... where a b c are outputted to the CSV, and d e f are used afterwards in the search.

Tags (3)
0 Karma
Highlighted

Re: Is it possible to export select fields to a CSV using the outputcsv command?

Motivator

Thanks to @martin_muller for answering this question on Slack! This was his suggestion and should work for most people viewing this question. (Your outputcsv command needs to go where export is)

martin_mueller [1:46 PM]
| appendpipe [fields foo bar | export | where false()] | ...

However, I didn't mention in the original question that there's an added snag in my case. I'm actually taking my data, appending part of it to an inputted csv, updating that csv, and then continuing to use the original data. So, I had to "back up" each field before the appending, use Martin's solution to output, and then revert my fields to continue on with my search.

... | eval a_=a | eval b_=b | eval c_=c
| append [| inputcsv "alerts.csv"] | appendpipe [fields a b c | outputcsv "alerts.csv" | where false()]
| eval a=a_ | eval b=b_ | eval c=c_

If anyone is wondering what I am actually trying to accomplish here, I want to log each alert that Splunk generates in an aggregate csv file but also send out that alert individually in an email. I used this solution to do so.

EDIT: There's probably a way to just have my alert, and then at the end of it do a hidden subsearch that both appends the alert to the csv and updates it without affecting the email that goes out. I don't know how to do that.

EDIT 2: After all this work I remembered that there's an "Output results to lookup - APPEND" option for alerts in Splunk 7. I hate my life. I'll leave this up since the original question is actually helpful.

View solution in original post

0 Karma