How to export to csv, for search results aggregated count() by IPV4

We’re on graylog 3.3.14.

I created a search with the results I need, and then right-click IPv4 field to “show top values”. The result is an overview of IPv4’s I want to block, sorted on number of occurrences. Now i am trying to export those aggregated results to csv, so I can process then further. (block them on my firewall)

But the “Aggregating count() by IPV4” actions menu has no “export to csv” option, just “edit”, “duplicate”, “copy to dashboard”, and “delete”.

Top right of the search result has an export to csv option, but that’s not on the aggregated results, but on the global (non-aggregated) search results.

Surely I am missing something. There must be a way to export the displayed aggregated_count_by_IPv4 results to csv?

Hello ,

I think this is what you want.

https://docs.graylog.org/v1/docs/csv-export

But I don’t have the export button for my aggregated search searchs. I feel really stupid, and probably miss something very basic. See this screenshot:

I know the “export to csv” option on the right top three-dot menu, but selecting that export gives: “You need to create a message table widget to export its result.”

Again… I feel stupid, but how can I export the aggregated search results in my screenshot?

@kkplein

You all good, that why we have a forum :slight_smile:

Maybe I can walk you through the steps as best as I can. This should give you the results you want.

For example

  1. Go to the global search, ( Click the Search button on top left)

  1. Now type you filters which I believe is “unknown user” AND NOT “passwd-file”

  1. Make a Widget

  1. Configure your widget and Save


  1. Upper Right corner click the “three dots” and choose “Export”

  1. Should be good from there. You can add fields or modify what you want before DL’ing.

Results

"timestamp","IPV4"
"2021-11-04T23:54:53.000Z","10.10.10.70"
"2021-11-04T23:54:53.000Z","10.10.10.57"
"2021-11-04T23:54:54.000Z","10.10.10.67"
"2021-11-04T23:54:54.000Z","10.10.10.137"
"2021-11-04T23:54:54.000Z","10.10.10.70"
"2021-11-04T23:54:54.000Z","10.10.10.67"
"2021-11-04T23:54:54.000Z","10.10.10.59"
"2021-11-04T23:54:55.000Z","10.10.10.101"

https://docs.graylog.org/v1/docs/csv-export

Hope that helps.

Hi @gsmith,

I really appreciate your effort working with me!

Apologies for persisting, but what you show above, i think, is the way to export “All messages”, and not the aggregated search results…? I am looking for an export in this format:

IPV4                               Count
1.2.3.4                            100
5.6.7.8                             65

As the above (aggregated) export format will allow me to add IPs easily to my firewall.

Meanwhile I have upgraded graylog from 3.3 to 4.2, but it doesn’t make a difference in this respect.

Again: I really appreciate the feedback here! :slight_smile:

Selecting ‘export’ from the right top three button menu, gives this result:
Screenshot from 2021-11-05 11-41-56

And I really cannot find the option to “export to CSV” in the aggregated result message table action menu.

You may have missed some of the steps that @gsmith posted - I just followed them and was able to pull and export of usernames with IP’s against my test data. Did you make sure to save the search you created with the custom aggregate before trying the export?

EDIT: Didn’t think to look at the question :stuck_out_tongue:

Since you are exporting anyway to load to the firewall, create the query to get the field data you want and get instance count via excel as you are adjusting the data for the import.

Or if you are just looking for top ~15 just drag select the resulting aggregate, copy to your clipboard and paste it to a file for further massaging.

1 Like

I understand now. Yeah the example I gave above does have a filter for ALL messages but does not have the count per IPV4.

Actually that would be a nice feature to have in Saved Search’s or Dashboard Widgets which is to download an aggregated search results into a CVS with a count. Perhaps posting here for a feature request.

Only solution I see is what @tmacgbay suggested.

Hi @gsmith

I created this: https://github.com/Graylog2/graylog2-server/issues/11598

Could you confirm that you understand the feature request…? As it took a while before I was able to explain my issue properly here…
(i would like the developers to easily understand what I mean)

1 Like

The feature request make sense to me!

1 Like

Thank you. I was surprised that this seems not yet possible.
Perhaps you could indicate so under the request. Or vote for it…?

Same here, The feature request looks good. It might take a few for a reply just keep checking on it.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.