I want output csv like this "splunkuserid_data.csv" automatically. for example) admin_17_05_16_09_07_58.csv
I tried this search -> my search | outputcsv [| stats count | addinfo | eval filename=strftime(now(), "filename_%d_%m_%y_%H_%M_%S") | return $filename ]
I know that getting splunk current user id (|rest /services/authentication/current-context splunk_server=local | fields username ) but I don't know how to add splunk user id csv file
are there people having good ieda?
↧