Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to export structured CSV from Splunk

psychogyiokosta
New Member
‎09-05-2019 10:17 AM

Hi,

Using Splunk on a raw log file I get the total templates (clusters) of logs using something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| eval rex_template=replace("this", "*")
| cluster t=0.9 labelonly=true labelfield=Template match=termlist field=rex_template
| stats count AS Occurences, values(rex_template) AS REGEX_Expressions by Template

However, I want to extract the file of the structured logs (not templates). Each log line from the raw file has a corresponding structured row with columns, where each column is an attribute describing the log (e.g. Time, PID, BlockID, etc.)

My search for this, is something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| outputcsv structured_logs.csv

So we output the structured lines in a CSV file which we can export.

Is there a way to download via terminal the structured file, using the first of the 2 searches above? This search generates just templates, not the whole file of structured logs

Thank you.
I ssh to my Splunk VM trying to find the file(s) containing the structured logs without success so far.

0 Karma
Reply

codebuilder
Influencer
‎09-05-2019 03:33 PM

I think you want to do something like this:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| table _raw
| outputcsv structured_logs.csv
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...