Is there a way to export a CSV file that contains ...

brunoabreu · ‎06-28-2022

I'm using Splunk Python SDK to download a search result as a CSV file.

The output file contains a header row if the search returns one or more events.

When there is no events from search, the CSV file generated is empty, without hearder row.

As a requirement, I need all generated CSV files to contain at least the header row even though the search does not return any events.

preotesoiu · ‎06-28-2022

have not tried it but look into using
| append [makeresults | eval "header_field"=header_field, ....]

brunoabreu · ‎06-28-2022

It resulted in duplicated header row.

First one, the header itself, and the second one a row which contains field values identical to the header.

And actually it would be nice if I could add this header without the need of knowing the field names in advance.

preotesoiu · ‎06-28-2022

can't test in my env right now, but look into adding some conditions to the append that are true only if the search before the append returns null values. I think this way you might eliminate the row.
Not sure about the field names, I think you might need to know them in advance. Perhaps leverage a lookup table and foreach command...

just some ideas...

Is there a way to export a CSV file that contains a header row even if there is no results from search?

rest API

SDK

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!