Splunk Search

Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

jaalex101
Explorer

Hi,

Is there a way to save the Splunk search along with the time frame of the search when exporting the results to CSV? Currently, I manually add these details to the downloaded CSV file, but there are times when I miss this and wonder what the exact search was.

Thanks,
Joseph

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

To do this, it must be a saved search... otherwise, you really have no way to attach the query at all if it's adhoc and you are back to cutting and pasting... And anything else would have to be done programatically... if you're game... basically you must save the search so that the info and entry is saved in savedsearches.conf then you have two options... neither is a click away:

the PYTHON SDK
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#viewpropssaved
Grab the value of the search= key word for the stanza matching the saved search and any other key words you want (dispatch.earliest_time etc) Then open the cvs file you just wrote (or have your script find it as the latest one... etc) and add a "header" prefixed by a marker, say ## and then compose your header
write the value of search= and the others in the saved search stanza you are looking for and there you have it.

You can also retrieve the search query info using the REST API and use the Configuration Endpoints... but you would then still have to mechanize the editing of your csv file so I'd go for python. it wouldn't be super complex.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

To do this, it must be a saved search... otherwise, you really have no way to attach the query at all if it's adhoc and you are back to cutting and pasting... And anything else would have to be done programatically... if you're game... basically you must save the search so that the info and entry is saved in savedsearches.conf then you have two options... neither is a click away:

the PYTHON SDK
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#viewpropssaved
Grab the value of the search= key word for the stanza matching the saved search and any other key words you want (dispatch.earliest_time etc) Then open the cvs file you just wrote (or have your script find it as the latest one... etc) and add a "header" prefixed by a marker, say ## and then compose your header
write the value of search= and the others in the saved search stanza you are looking for and there you have it.

You can also retrieve the search query info using the REST API and use the Configuration Endpoints... but you would then still have to mechanize the editing of your csv file so I'd go for python. it wouldn't be super complex.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

jaalex101
Explorer

Thanks. My original question was for an adhoc query with a 1-click solution , but these pointers towards a programmatic approach for a saved search is good too. Marking as accepted.

rsennett_splunk
Splunk Employee
Splunk Employee

open another question and explain that you'd like a way to export the "metadata" for a search with a click. Mark it as a feature request. 🙂

Glad this helped... thank you for accepting.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

After you export to csv, click the print button and save to PDF. The output of the "print" includes the query and the output (as much as fits on the page, so you can remember the context.Looks like this:
alt text

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

jaalex101
Explorer

Thanks, but then i have to maintain two documents. Would it be an useful feature to add this in the CSV export itself ? . The slight downside would be it would have some extra text apart from the raw data itself.

0 Karma

jeffland
SplunkTrust
SplunkTrust

I don't see how you could put something inside a .csv file that is not recognized as content, and it seems that that's the way it is.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...