Search to export structured CSV from Splunk

psychogyiokosta · ‎09-05-2019

Hi,

Using Splunk on a raw log file I get the total templates (clusters) of logs using something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| eval rex_template=replace("this", "*")
| cluster t=0.9 labelonly=true labelfield=Template match=termlist field=rex_template
| stats count AS Occurences, values(rex_template) AS REGEX_Expressions by Template

However, I want to extract the file of the structured logs (not templates). Each log line from the raw file has a corresponding structured row with columns, where each column is an attribute describing the log (e.g. Time, PID, BlockID, etc.)

My search for this, is something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| outputcsv structured_logs.csv

So we output the structured lines in a CSV file which we can export.

Is there a way to download via terminal the structured file, using the first of the 2 searches above? This search generates just templates, not the whole file of structured logs

Thank you.
I ssh to my Splunk VM trying to find the file(s) containing the structured logs without success so far.

codebuilder · ‎09-05-2019

I think you want to do something like this:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| table _raw
| outputcsv structured_logs.csv

----
An upvote would be appreciated and Accept Solution if it helps!

Search to export structured CSV from Splunk

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest