Export csv files from Discover

1,235 views
Skip to first unread message

Marcus Ledbetter

unread,
Jul 5, 2018, 12:48:10 PM7/5/18
to security-onion
How do I export csv files from Kibana Discover? Looking at Kibana support webpages, I notice there is a Reporting (tab)option in the top right that exports to csv, but on the Kibana loaded from Security Onion that option is not provided. How can I fix this?

Thanks,

Marc

Jay Hawk

unread,
Jul 5, 2018, 3:11:13 PM7/5/18
to security-onion
Sorry, just now re-installing the latest version so I can't test this, but a quick google brings this up for Kibana V6.

https://www.youtube.com/watch?v=Jd8-A3fIGjo

Marcus Ledbetter

unread,
Jul 5, 2018, 3:37:28 PM7/5/18
to securit...@googlegroups.com
Jay,

Thanks for the info. Unfortunately, the Kibana 6.2.4 I have, which came from the Security Onion install, does not have a Reporting tab. You will notice on the video, the Reporting tab is what you use to export Discover output to a csv file. I can't figure out why my SO does not have a Kibana with the Reporting tab.

Thanks,

Marc

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Steven J

unread,
Jul 5, 2018, 4:11:13 PM7/5/18
to securit...@googlegroups.com
Hi Marcus, 

I have Ver: 6.2.2 installed, not sure if this changed for your version.

I can save the item I wish to export as an object.  From there I can go through the Management Tab in the left menu, select "Saved Objects" at the top, then choose which saved object you wish to export?

Anything that is available in a dashboard should have an "Export" button already attached in the dashboard, in case this helps.

If your version is different, my apologies for poking my nose in. :-)

Steven Malm
Roc-Analyst I
Lyrical Security
174 Spadina Ave, Suite 400, Toronto, ON, Canada - M5T 2C2

On Thu, Jul 5, 2018 at 3:37 PM, Marcus Ledbetter <mdle...@gmail.com> wrote:
Jay,

Thanks for the info. Unfortunately, the Kibana 6.2.4 I have, which came from the Security Onion install, does not have a Reporting tab. You will notice on the video, the Reporting tab is what you use to export Discover output to a csv file. I can't figure out why my SO does not have a Kibana with the Reporting tab.

Thanks,

Marc
On Thu, Jul 5, 2018 at 3:11 PM, Jay Hawk <id1010...@gmail.com> wrote:
Sorry, just now re-installing the latest version so I can't test this, but a quick google brings this up for Kibana V6.

https://www.youtube.com/watch?v=Jd8-A3fIGjo


On Thursday, July 5, 2018 at 12:48:10 PM UTC-4, Marcus Ledbetter wrote:
> How do I export csv files from Kibana Discover? Looking at Kibana support webpages, I notice there is a Reporting (tab)option in the top right that exports to csv, but on the Kibana loaded from Security Onion that option is not provided. How can I fix this?
>
> Thanks,
>
> Marc

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

Wes Lambert

unread,
Jul 5, 2018, 4:16:21 PM7/5/18
to securit...@googlegroups.com
Hi Marc,

Reporting is handled through the use of X-Pack.

We do not include X-Pack with Security Onion, however, you can try adding it yourself using the (similar) instructions here:


Thanks,
Wes

On Thu, Jul 5, 2018 at 3:37 PM Marcus Ledbetter <mdle...@gmail.com> wrote:
Jay,

Thanks for the info. Unfortunately, the Kibana 6.2.4 I have, which came from the Security Onion install, does not have a Reporting tab. You will notice on the video, the Reporting tab is what you use to export Discover output to a csv file. I can't figure out why my SO does not have a Kibana with the Reporting tab.

Thanks,

Marc
On Thu, Jul 5, 2018 at 3:11 PM, Jay Hawk <id1010...@gmail.com> wrote:
Sorry, just now re-installing the latest version so I can't test this, but a quick google brings this up for Kibana V6.

https://www.youtube.com/watch?v=Jd8-A3fIGjo


On Thursday, July 5, 2018 at 12:48:10 PM UTC-4, Marcus Ledbetter wrote:
> How do I export csv files from Kibana Discover? Looking at Kibana support webpages, I notice there is a Reporting (tab)option in the top right that exports to csv, but on the Kibana loaded from Security Onion that option is not provided. How can I fix this?
>
> Thanks,
>
> Marc

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

Marcus Ledbetter

unread,
Jul 5, 2018, 4:42:52 PM7/5/18
to securit...@googlegroups.com
Thanks Steven, I'll check it out...

-Marc

Marcus Ledbetter

unread,
Jul 5, 2018, 4:45:50 PM7/5/18
to securit...@googlegroups.com
Thanks for that. I had a feeling there was an upgrade that would solve my problem. I attempted the command, but the gzip errored out with unexpected end of file. I'll have to see if I can resolve this...

Thanks,

Marc

To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Jay Hawk

unread,
Jul 5, 2018, 6:19:20 PM7/5/18
to security-onion
Ah, that's a bummer, that said, it is fairly easy to create visualizations which can be exported to a CSV.

For instance if you go into SO and look at the Home Dashboard and scroll down to the bottom of your "All Sensors - Log Type" visualization, you'll see where it says "Export: Raw Formatted"
Clicking the formatted icon will give you a CSV of the fields (this is quite useful when sorting through User-Agents for example)

Likewise you could if you felt the need generate a data table for your query that extracts the relevant information adding only the fields you really need.

https://www.elastic.co/guide/en/kibana/6.3/createvis.html
https://www.elastic.co/guide/en/kibana/6.3/data-table.html

On Thursday, July 5, 2018 at 3:37:28 PM UTC-4, Marcus Ledbetter wrote:
> Jay,
>
>
>
> Thanks for the info. Unfortunately, the Kibana 6.2.4 I have, which came from the Security Onion install, does not have a Reporting tab. You will notice on the video, the Reporting tab is what you use to export Discover output to a csv file. I can't figure out why my SO does not have a Kibana with the Reporting tab.
>
>
>
> Thanks,
>
>
> Marc
>
>
>
> On Thu, Jul 5, 2018 at 3:11 PM, Jay Hawk <id1010...@gmail.com> wrote:
> Sorry, just now re-installing the latest version so I can't test this, but a quick google brings this up for Kibana V6.
>
>
>
> https://www.youtube.com/watch?v=Jd8-A3fIGjo
>
>
>
>
>
>
>
> On Thursday, July 5, 2018 at 12:48:10 PM UTC-4, Marcus Ledbetter wrote:
>
> > How do I export csv files from Kibana Discover? Looking at Kibana support webpages, I notice there is a Reporting (tab)option in the top right that exports to csv, but on the Kibana loaded from Security Onion that option is not provided. How can I fix this?
>
> >
>
> > Thanks,
>
> >
>
> > Marc
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit


https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

Marcus Ledbetter

unread,
Jul 10, 2018, 1:37:11 PM7/10/18
to security-onion

Thanks Jay!

Marcus Ledbetter

unread,
Jul 12, 2018, 1:24:33 PM7/12/18
to security-onion
On Thursday, July 5, 2018 at 8:11:13 PM UTC, Steven J wrote:
> Hi Marcus, 
>
> I have Ver: 6.2.2 installed, not sure if this changed for your version.
>
> I can save the item I wish to export as an object.  From there I can go through the Management Tab in the left menu, select "Saved Objects" at the top, then choose which saved object you wish to export?
>
> Anything that is available in a dashboard should have an "Export" button already attached in the dashboard, in case this helps.
>
> If your version is different, my apologies for poking my nose in. :-)
>
>
>
>
>
>
>
>
>
>
>
> Steven Malm
> Roc-Analyst I
> Lyrical Security
> 174 Spadina Ave, Suite 400, Toronto, ON, Canada - M5T 2C2
> 1-855-561-4604 ext. 55
> mobile: (705) 440-3339
> e-mail: sjm...@lyricalsecurity.com
>
>
>
>
> On Thu, Jul 5, 2018 at 3:37 PM, Marcus Ledbetter <mdle...@gmail.com> wrote:
>
>
> Jay,
>
>
>
> Thanks for the info. Unfortunately, the Kibana 6.2.4 I have, which came from the Security Onion install, does not have a Reporting tab. You will notice on the video, the Reporting tab is what you use to export Discover output to a csv file. I can't figure out why my SO does not have a Kibana with the Reporting tab.
>
>
>
> Thanks,
>
>
> Marc
>
>
>
> On Thu, Jul 5, 2018 at 3:11 PM, Jay Hawk <id1010...@gmail.com> wrote:
> Sorry, just now re-installing the latest version so I can't test this, but a quick google brings this up for Kibana V6.
>
>
>
> https://www.youtube.com/watch?v=Jd8-A3fIGjo
>
>
>
>
>
>
>
> On Thursday, July 5, 2018 at 12:48:10 PM UTC-4, Marcus Ledbetter wrote:
>
> > How do I export csv files from Kibana Discover? Looking at Kibana support webpages, I notice there is a Reporting (tab)option in the top right that exports to csv, but on the Kibana loaded from Security Onion that option is not provided. How can I fix this?
>
> >
>
> > Thanks,
>
> >
>
> > Marc
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/AOns9Yn1Nsw/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Hi Steven,

Thanks for that tip. It looks to me that I can save and export the Discovery page through Management like you recommended. However, I am unable to export as .csv, but can only export in json.

Thanks,

Marc

Steven J

unread,
Jul 12, 2018, 1:50:40 PM7/12/18
to securit...@googlegroups.com

Steven Malm
Roc-Analyst I
Lyrical Security
174 Spadina Ave, Suite 400, Toronto, ON, Canada - M5T 2C2

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages