Download .csv file from splunk lookup

Note that I am explicitly setting the fields I want and putting the results into a table. I want to store the results of this search into a file called sp-app If you leave off the -o option you will get the output streamed to your console — given the amount of data you are grabbing, this is not optimal.

If you include the -o, then you get a nicely formatted display of progress. The numbers update during the process telling you how much has been downloaded and the speed at which the data is coming across.

But 12 minutes later, I have a Mb file with well over , lines of data. You need to remove the header, reverse the lines and then add the header back in. DevOps Accelerate the delivery of exceptional user experiences. Higher Education. Online Services. Financial Services. Public Sector. View all industries. Why Splunk? Bring data to every question, decision and action across your organization. Customer Stories See why organizations around the world trust Splunk. Partners Accelerate value with our powerful partner ecosystem.

Data-to-Everything Thrive in the Data Age and drive change with our data platform. Splunk Lantern Clear and actionable guidance from Splunk Experts. Data Insider Focused primers on top technology topics. Documentation Find answers and guidance on how to use Splunk. User Groups Meet Splunk enthusiasts in your area.

Community Get inspired and share knowledge. Customer Success Get specialized service and support. Splunk Dev Create your own Splunk apps. Version 6. Toggle navigation Knowledge Manager Manual. Welcome to knowledge management. What is Splunk knowledge? Why manage Splunk knowledge? Prerequisites for knowledge management. Get started with knowledge objects. Manage knowledge objects through Settings pages Monitor and organize knowledge objects The sequence of search-time operations Give knowledge objects of the same type unique names Develop naming conventions for knowledge objects Understand and use the Common Information Model Add-on Manage knowledge object permissions Manage orphaned knowledge objects Disable or delete knowledge objects About Splunk regular expressions.

Fields and field extractions. About fields Use default fields When Splunk software extracts fields About regular expressions with field extractions. Use the field extractor in Splunk Web.

Use the settings pages for field extractions in Splunk Web. I read Splunk documentation and it seems like lookup is the best way to handle this situation. The goal is for my query to leverage the lookup function and prints out all the download events from all these users in the list. I probably don't understand lookup correctly. Can someone correct me and teach me the correct way? In the lookup file, the name of the field is users , whereas in the event, it is username. Fortunately, the lookup command has a mechanism for renaming the fields during the lookup.

Try the following. Now, depending on the volume of data you have in your index and how much data is being discarded when not matching a username in the CSV, there may be alternate approaches you can try, for example, this one using a subsearch. So your main search will turn into.

Press save to persist it. Another thing the customer mentioned to me was that the he needed to cleanup and fix some things in the lookup file before he could use it. He manipulated it manually but the search interface is a great way to modify CSV files. I then use the rex search command to split out the local and domain portions:. Online Services. Public Sector. Why Splunk? Customer Stories. Support Portal. Support Programs. Splunk Answers. Contact Us. Product Security Updates.

Customer Success. Expert Services. Data Insider. View All Resources. Best Practices. Get Started with Splunk. User Groups. Splunk dev. About Splunk.

Splunk for Good. Splunk Ventures. Splunk Protects.