Splunk Search

Is there a way to include the ad hoc search and the time range it was run when exporting the results to CSV?

Explorer

Hi,

Is there a way to save the Splunk search along with the time frame of the search when exporting the results to CSV? Currently, I manually add these details to the downloaded CSV file, but there are times when I miss this and wonder what the exact search was.

Thanks,
Joseph

0 Karma
1 Solution

Splunk Employee
Splunk Employee

To do this, it must be a saved search... otherwise, you really have no way to attach the query at all if it's adhoc and you are back to cutting and pasting... And anything else would have to be done programatically... if you're game... basically you must save the search so that the info and entry is saved in savedsearches.conf then you have two options... neither is a click away:

the PYTHON SDK
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#viewpropssaved
Grab the value of the search= key word for the stanza matching the saved search and any other key words you want (dispatch.earliest_time etc) Then open the cvs file you just wrote (or have your script find it as the latest one... etc) and add a "header" prefixed by a marker, say ## and then compose your header
write the value of search= and the others in the saved search stanza you are looking for and there you have it.

You can also retrieve the search query info using the REST API and use the Configuration Endpoints... but you would then still have to mechanize the editing of your csv file so I'd go for python. it wouldn't be super complex.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Splunk Employee
Splunk Employee

To do this, it must be a saved search... otherwise, you really have no way to attach the query at all if it's adhoc and you are back to cutting and pasting... And anything else would have to be done programatically... if you're game... basically you must save the search so that the info and entry is saved in savedsearches.conf then you have two options... neither is a click away:

the PYTHON SDK
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#viewpropssaved
Grab the value of the search= key word for the stanza matching the saved search and any other key words you want (dispatch.earliest_time etc) Then open the cvs file you just wrote (or have your script find it as the latest one... etc) and add a "header" prefixed by a marker, say ## and then compose your header
write the value of search= and the others in the saved search stanza you are looking for and there you have it.

You can also retrieve the search query info using the REST API and use the Configuration Endpoints... but you would then still have to mechanize the editing of your csv file so I'd go for python. it wouldn't be super complex.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Explorer

Thanks. My original question was for an adhoc query with a 1-click solution , but these pointers towards a programmatic approach for a saved search is good too. Marking as accepted.

Splunk Employee
Splunk Employee

open another question and explain that you'd like a way to export the "metadata" for a search with a click. Mark it as a feature request. 🙂

Glad this helped... thank you for accepting.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Splunk Employee
Splunk Employee

After you export to csv, click the print button and save to PDF. The output of the "print" includes the query and the output (as much as fits on the page, so you can remember the context.Looks like this:
alt text

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Explorer

Thanks, but then i have to maintain two documents. Would it be an useful feature to add this in the CSV export itself ? . The slight downside would be it would have some extra text apart from the raw data itself.

0 Karma

Champion

I don't see how you could put something inside a .csv file that is not recognized as content, and it seems that that's the way it is.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!