Re: Search to export structured CSV from Splunk

psychogyiokosta · ‎09-05-2019

Hi,

Using Splunk on a raw log file I get the total templates (clusters) of logs using something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| eval rex_template=replace("this", "*")
| cluster t=0.9 labelonly=true labelfield=Template match=termlist field=rex_template
| stats count AS Occurences, values(rex_template) AS REGEX_Expressions by Template

However, I want to extract the file of the structured logs (not templates). Each log line from the raw file has a corresponding structured row with columns, where each column is an attribute describing the log (e.g. Time, PID, BlockID, etc.)

My search for this, is something like:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| outputcsv structured_logs.csv

So we output the structured lines in a CSV file which we can export.

Is there a way to download via terminal the structured file, using the first of the 2 searches above? This search generates just templates, not the whole file of structured logs

Thank you.
I ssh to my Splunk VM trying to find the file(s) containing the structured logs without success so far.

codebuilder · ‎09-05-2019

I think you want to do something like this:

host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| table _raw
| outputcsv structured_logs.csv

----
An upvote would be appreciated and Accept Solution if it helps!

Search to export structured CSV from Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation