I have a work around... i've seen this before and the conclusion is the API doesnt export the null values. This is the work around:
search index=indexname
| sort - _time
| rename _time AS time
| convert ctime(time)
| eval fielda=if(isnull(fielda),",",fielda)
| eval fieldb=if(isnull(fieldb),",",fieldb)
| eval fieldc=if(isnull(fieldc),",",fieldc)
| eval fieldd=if(isnull(fieldd),",",fieldd)
| eval fielde=if(isnull(fielde),",",fielde)
| table fielda fieldb fieldc fieldd fielde
What it will do is replace null values with commas and then the API is forced to export in correct csv format.
You can probably do this several other ways like the 'fill null value="," (fields here)'
Use the fillnull command to fill the null values...
root search... | fillnull value=null | ... statistical/charting command
I tried this as well, but still I neither get the field null values nor the header names.
Can you please share the search?
curl -k -u https://url -d search="search index= sourcetype= earliest=-30d latest=now | fillnull value=null | sort -_time | rename _time AS time | convert ctime(time) | table field1,field2,field3,field4,field5,field5" -d output_mode=csv -o /home/username/test.csv
Output
field5
608
214
407
860
219
901
843
904
480
I am expecting something like
field1,field2,field3,field4,field5
,,,,608
,,,,214
,,,,407
,,,,860
,,,,219
,,,,901
,,,,843
,,,,904
,,,,480
What API endpoint are you using? You only mention URL not /saved/searches/ ... etc
Try uppercase null .. | fillnull value=NULL
OK... so since field1,field2,field3,field4 are null when you get to the pipe with fillnull, the search processor doesn't know that they exist, and therefore cannot fill them with null...
try:
... | fillnull value=NULL field1,field2,field3,field4,field5 | ...
that should explicitly tell the fillnull processor that those fields exist and need to be set.
if you're using the preview_results endpoint with output_mode:json_rows, you should be able to set the field_list to include the fields you want. Those fields then should come back even if all the values are NULL.
I am using output_mod:csv.
I found this can not be done. 😞
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime