- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Export Search Results
Use the export functionality to download the search results to your local computer. You can capture the results to attach them to another system, or when you need to work with the data outside of the Exabeam interface.
Export allows output in the following format:
Raw log (csv) — This format exports the events in a comma separated value (CSV) file, where the first column includes the normalized ingestion time for the event, and the second column includes the raw message of the event. Use this format to import the search results into a spreadsheet, or into a tool that uses the time information present in the events.
The export file is compressed in gzip format and the file extension will be .csv.gz.
To export events:
After, or while a search is running, click Export Events.
Fill in the export parameters. You can choose to export just the raw logs, or the raw logs along with all or some of the parsed fields.
Data Format – Select either Parsed Fields or Raw Logs from the drop-down menu.
Include null fields – Select to include null fields when exporting events. By default, this check box is not selected and null fields are excluded from export.
Include raw logs – Select to include raw log data when exporting events (must select Parsed Fields in the Data Format menu).
Field Template – If you selected Parsed Fields in the Data Format menu, you can select All Parsed Fields or select a specific field template from the drop-down list.
Note
Hover over any field template name to see a list of fields that are included in the template.
Click Export.
The compressed exported events file will be downloaded to your local computer. You will receive a notification once the export is complete.
Note
Search can export up to 20 million search local query results. These results will be batched in files based on their size, up to 1GB per file, and zipped together.