_export


_export is a query directive used to extract a result set from the pipeline and send it to your email inbox. Currently the result set can be sent as an attachment in the XLSX, CSV or JSON formats. The email can be sent by directly specifying the email addresses in the query function or by specifying the (slug) name of a DNIF notification group.

NOTE: A notification (NOTIF) group in DNIF is a named group consisting of names and email addresses of its members. You can learn how to create a notification group with DNIF.

NOTE: For the export to work and email to be sent, the SMTP service must be configured on the DNIF systems and the service must allow the size of attachment created.

Syntax

The generic syntax of the _export directive is as given below:

_export [ xlsx | csv | json ] [function]
function:
notify_email | notify_group
notify_email <email address1>, <email address2>, …
notify_group <notification_group_slug>

Here,

  • xlsx/csv/json: These are file formats in which the result set can be sent in the email.
  • notify_email: Sends an email to the specified email addresses.
  • notify_group: Sends an email to the members of a notification group created in DNIF.

notify_email

The _export directive can be used to send a result set as an attachment to the specified email addresses using the notify_email keyword.

Take a look at the example given below:

_fetch * from event where $LogType=FIREWALL group count_unique $DstPort limit 5
>>_export xlsx notify_email <email address>

Here:

1. The _fetch directive retrieves all the fields, for each event, in the event index where $LogType is FIREWALL. The result set is grouped by unique values of $DstPort along with a count (count_unique) for each. The result set is sorted in the descending order of count_unique (by default). It is then limited to 5 rows.The output is as shown below:

aggregation based on unique values of destination network ports

2. In the pipelined query function, the _export directive extracts the result set in an Excel file (xlsx) and emails the file (notify_email) to the specified email ID, as shown in the image below:

resultset of the second query function

The image above shows the web console output of the export query function. The images below show the DNIF email as received in the inbox.

email received in inbox
details of the email
contents of the excel file exported

The image above shows the attachment (xlsx file) present in the email received from DNIF.

notify_group

The _export directive can be used to send a result set as an attachment in an email to a group using the notify_group keyword. The group referred to here is a NOTIF (notification) group created in DNIF. The email will be sent to all members of the notification group whose slug name is specified in the query function after the notify_group keyword.

NOTE: You can learn how to create a notification group in DNIF.

list of existing notification groups

The image above, shows a list of all notification groups which have been created.

Take a look at the example given below:

_fetch * from event where $LogType=FIREWALL group count_unique $DstPort limit 5
>>_export xlsx notify_group Demo

This query is similar to the one in the previous example, for notify_email. However, in this case the _export directive uses the notify_group keyword to send the result set as an XLSX attachment in an email to all members of the Demo notification group created in DNIF.

NOTE: The notify_group function gives you the option to dynamically change either the recipients or their email addresses. This can be useful in several cases; for example, if the directive has been used as part of a workbook configured to send a report every day, you can modify the NOTIF (notification) group to alter the recipients without changing the query in the workbook. Had we used the notify_email function, we would have to modify this query and all such queries where the change is to be made.