Saving commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Saving commands
outputcsv
This data-processing command is used to output search results in CSV format. This command is useful for formatting result output while using the CLI. If no target filename is specified as an argument, outputcsv rewrites the contents of each search result into a CSV-formatted row in the field "_xml". If a filename is specified, outputcsv writes the CSV-formatted results into the specified file (and appends .csv to the filename if there is no existing extension). If the output spans multiple files, outputcsv can collapse the output to a single file. outputcsv should be the last command specified in a search.
Syntax
outputcsv [usexml_option] [filename] [singlefile_option]
Arguments
| usexml_option= | usexml=(T | F) | Specify whether or not to encode the csv output into xml. This option works only when no filename is specified. |
| filename= | string | Name of file to output CSV-formatted results to. Will automatically add a ".csv" extension if there is no extension. |
| singlefile_option= | singlefile=(T | F) | If set true, will take an output that spans multiple files and will collapse the files to a single output file. |
Examples
./splunk search "secrets source="tcpdump" | outputcsv"
- Searches for the word secrets from the source tcpdump, and outputs the data in csv format.
outputraw
This data-processing command causes search results to be output in a simple, raw text format. outputraw should be the last command specified in a search.
Syntax
outputraw
Arguments
None.
Examples
./splunk search "secrets source="tcpdump" | outputraw"
- Searches for the word secrets from the source tcpdump, and outputs the data in raw text format.
outputtext
This data-processing command causes the contents of the _raw field of a result to be written into the " _xml" field. Optionally, you can set outputtext to parse XML escaping characters. outputtext should be the last command specified in a search.
Syntax
outputtext [usexml]
Arguments
| usexml= | usexml=(T | F)(T) | If set, the data in the _raw field parse with XML escaping. |
Examples
./splunk search "404 source="webserver" | sort +ip, url | top 5 | outputtext
- Searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a raw text format.
outputxml
This data-processing command causes search results to be written to a proprietary and internal XML format. outputxml should be the last command specified in a search.
Syntax
outputxml [string]
Arguments
| string= | string | Name of xml file to create, to output results to. |
Examples
./splunk search "404 source="webserver" | sort +ip, url | top 5 | outputxml 404s.xml
- Searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a xml format to 404s.xml.
sendemail
This data-processing command will email your search results to the email address you specify. You may specify multiple email addresses to send your results to, and you can select the format to send the results in (html, raw, text, csv). You may also choose to send the results in the body of the email, or as an attachment. You must use quotes when specifying an email list.
Syntax
sendemail to= "email_list" [email-options]...
Arguments
| email-list= | "email_address,...,email_address" | List of email addresses (email_address= name@whatever.com). |
email-options
| email-options= | from | cc | bcc | format | inline | priority | server | Additional email options you can specify. | |
| from= | from= "email_list"(splunk@hostname) | Specify an email address for the from line. Default = splunk@hostname. | |
| cc= | cc= "email_list" | A comma-separated list of valid email addresses to put in the carbon copy (cc) field. | |
| bcc= | bcc= "email_list" | A comma-separated list of valid email addresses to put in the blind carbon copy (bcc) field. | |
| format= | format=(html | raw | text | csv)(html) | Specify the format of the email that the results are sent in. | |
| inline= | inline=(T | F) (T) | Set whether to have the results sent in the body of the email, or as an attachment. Setting to true sends them in the body of the email. | |
| priority= | priority=(1 | 2 | 3 | 4 | 5) (3) | Set the email's priority. 3 = normal, 1 = highest, 2 = high, 4 = low, 5 = lowest. | |
| server= | server=name of server(localhost) | Set the smtp server. Default is localhost. |
Examples
SplunkWeb:
fail sourcetype="access*" | rename _raw as marklar | stats dc(marklar) by _time | sendemail from=cartman@sp.com format=html subject=failboat server=mail.sp.com- Searches for "fail" on all sourcetypes that start with "access". Then renames the _raw field as marklar, does a stats operation to find the distinct count, and sends the results to cartman@sp.com in an html-formatted email with the subject "failboat".
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.