export

The export operator does one of the following:

Only Admin and Editor Search Members can run the export operator.

Syntax

Export to Cribl Lake:

Scope | export [ suppressPreviews=Previews ] to [ lake ] LakeDatasetName [ tee=Tee ]

The lake keyword is optional and has no effect.

Export to a Lookup:

Scope | export [ mode=Mode ]
               [ description=Description ]
               [ suppressPreviews=Previews ]
               [ fieldMapping=PairsToMap ]
               [ compress=Compress ]
               to lookup LookupName
               [ tee=Tee ]
               [ maxEvents=MaxEvents ]

Arguments

Export to Lake Dataset

  • Scope: The events to search.
  • Previews: Boolean indicating whether to push new metrics on timer events. Defaults to false.
  • LakeDatasetName: The Cribl Lake dataset to export results to. You must choose an already existing dataset.
  • Tee: Boolean. If set to true, the search results are shown as usual. If false (which is the default), instead of the results, Cribl Search displays statistics related to the export.

Export to Lookup Table

  • Scope: The events to search.
  • Mode: Supports create, overwrite, and append. Defaults to create. If the lookup table doesn’t exist, it defaults to create, simplifying scheduled searches. When using append mode, you can include description, fieldMapping, and compress parameters, and if the lookup table exists, they are ignored. This streamlines the process of appending data to a lookup table as part of scheduled searches, as the table is generated during the first scheduled run and continues to append new content in subsequent runs.
  • Description: String. The description to give the lookup table.
  • Previews: Boolean indicating whether to push new metrics on timer events. Defaults to false.
  • PairsToMap: String. Comma-separated list of sourceName:targetName pairs to map event property names to CSV output names. Defaults to all of the last known list of projected fields.
  • Compress: String. Defaults to auto where files larger than 16 KB are compressed. Set as true to compress no matter the size and false to not compress the file.
  • LookupName: The lookup table file name, without the file extension. For example: a file name of users.csv is entered as users.
  • Tee: Boolean. Defaults to false where search results are not shown in Cribl Search. Instead, you get an event with the URL and the number of bytes and events sent or dropped. When true the search results are displayed and no stats are provided. For example: tee=true.
  • MaxEvents: The maximum number of events that can be handled and exported, any exceeding events are dropped. Defaults to 10000.

Rules

  • You cannot use create mode on an existing lookup table, an error is thrown.
  • Arguments are not case-sensitive.

Examples

Export search results to the mydataset Cribl Lake dataset:

dataset="cribl_search_sample"
| export to lake mydataset

// you can also drop the `lake` keyword
dataset="cribl_search_sample"
| export to mydataset

Create a lookup table named mylookup with the time and status fields.

dataset="cribl_search_sample"
| export description="My lookup" fieldMapping="_time:time,status:status" to lookup mylookup

Export a lookup table with two columns, method and cnt (identical to the lookup operator example).

dataset=$vt_dummy event<600
| extend _time=_time-rand(600), method=iif(event%2>0, "GET", "POST")
| summarize cnt=count() by method
| export mode=append description="Table with http methods count" to lookup mymethods
Run in Cribl Search

To verify that table was exported.

dataset="cribl_lookups" lookup_table=mymethods
| project method, cnt
| render table
Run in Cribl Search
Last updated by: Dritan Bitincka