Hi,
Using Splunk on a raw log file i get the total templates (clusters) of logs using something like:
host="my_host index="my_index" sourcetype="my_log" Content=*
| eval rex_template=replace("this", "*")
| cluster t=0.9 labelonly=true labelfield=Template match=termlist field=rex_template
| stats count AS Occurences, values(rex_template) AS REGEX_Expressions by Template
However, i want to extract the file of the structured logs (not templates). Each log line from the raw file has a corresponding structured row with columns, where each column is an attribute describing the log (e.g. Time, PID, BlockID, etc.)
My query for this, is something like:
host="my_host index="my_index" sourcetype="my_log" Content=*
| cluster t=0.9
| outputcsv structured_logs.csv
So we output the structured lines in a csv file which we can export.
Is there a way to download via terminal the structured file, using the first of the 2 searches above? This query generates just templates, not the whole file of structured logs
Thank you.
I ssh to my Splunk VM trying to find the file(s) containing the structured logs without success so far.
↧