Documentation: 3.1.4
Print Version Contents
This page last updated: 01/30/08 03:01pm

Saving commands

outputcsv

This data-processing command is used to output search results in CSV format. This command is useful for formatting result output while using the CLI. If no target filename is specified as an argument, outputcsv rewrites the contents of each search result into a CSV-formatted row in the field "_xml". If a filename is specified, outputcsv writes the CSV-formatted results into the specified file (and appends .csv to the filename if there is no existing extension). If the output spans multiple files, outputcsv can collapse the output to a single file. outputcsv should be the last command specified in a search.

Syntax

outputcsv [usexml_option] [filename] [singlefile_option]

Arguments

usexml_option= usexml=(T | F) Specify whether or not to encode the csv output into xml. This option works only when no filename is specified.
filename= string Name of file to output CSV-formatted results to. Will automatically add a ".csv" extension if there is no extension.
singlefile_option= singlefile=(T | F) If set true, will take an output that spans multiple files and will collapse the files to a single output file.

Examples

./splunk search "secrets source="tcpdump" |  outputcsv"
  • Searches for the word secrets from the source tcpdump, and outputs the data in csv format.

outputraw

This data-processing command causes search results to be output in a simple, raw text format. outputraw should be the last command specified in a search.

Syntax

outputraw

Arguments

None.

Examples 

./splunk search "secrets source="tcpdump" |  outputraw"
  • Searches for the word secrets from the source tcpdump, and outputs the data in raw text format.

outputtext

This data-processing command causes the contents of the _raw field of a result to be written into the " _xml" field. Optionally, you can set outputtext to parse XML escaping characters. outputtext should be the last command specified in a search.

Syntax

outputtext [usexml]

Arguments

usexml= usexml=(T | F)(T) If set, the data in the _raw field parse with XML escaping.

Examples

./splunk search "404 source="webserver" | sort +ip, url | top 5 | outputtext
  • Searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a raw text format.

outputxml

This data-processing command causes search results to be written to a proprietary and internal XML format. outputxml should be the last command specified in a search.

Syntax

outputxml [string]

Arguments

string= string Name of xml file to create, to output results to.

Examples

./splunk search "404 source="webserver" | sort +ip, url | top 5 | outputxml 404s.xml
  • Searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a xml format to 404s.xml.

sendemail

This data-processing command will email your search results to the email address you specify. You may specify multiple email addresses to send your results to, and you can select the format to send the results in (html, raw, text, csv). You may also choose to send the results in the body of the email, or as an attachment. You must use quotes when specifying an email list.

Syntax

sendemail to="email_list" [email-options]...

Arguments

email-list= "email_address,...,email_address" List of email addresses (email_address= name@whatever.com).

email-options
email-options= from | cc | bcc | format | inline | priority | server Additional email options you can specify.
from= from="email_list"(splunk@hostname) Specify an email address for the from line. Default = splunk@hostname.
cc= cc="email_list" A comma-separated list of valid email addresses to put in the carbon copy (cc) field.
bcc= bcc="email_list" A comma-separated list of valid email addresses to put in the blind carbon copy (bcc) field.
format= format=(html | raw | text | csv)(html) Specify the format of the email that the results are sent in.
inline= inline=(T | F) (T) Set whether to have the results sent in the body of the email, or as an attachment. Setting to true sends them in the body of the email.
priority= priority=(1 | 2 | 3 | 4 | 5) (3) Set the email's priority. 3 = normal, 1 = highest, 2 = high, 4 = low, 5 = lowest.
server= server=name of server(localhost) Set the smtp server. Default is localhost.

Examples

SplunkWeb:

fail sourcetype="access*" | rename _raw as marklar | stats dc(marklar) by _time | sendemail from=cartman@sp.com format=html subject=failboat server=mail.sp.comSearch

  • Searches for "fail" on all sourcetypes that start with "access". Then renames the _raw field as marklar, does a stats operation to find the distinct count, and sends the results to cartman@sp.com in an html-formatted email with the subject "failboat".
Previous: Data-generating commands    |    Next: Filtering and re-ordering commands

Comments

No comments have been submitted.

Log in to comment.