Using Export¶
Turn sets of logs into downloadable, sendable files in Export. You can keep these files on your computer, inspect them in another program, or send them via email.
What is an export?
An export is not a file, but a process that creates a file. The export contains and follows your instructions for which data to put in the file, what type of file to create, and what to do with the file. When you run the export, you create the file.
Why would I export logs?
Being able to see a group of logs in one file can help you inspect the data more closely. A few reasons you might want to export logs are:
- To investigate an event or attack
- To send data to an analyst
- To explore the data in a program outside TeskaLabs LogMan.io
Navigating Export¶
List of exports
The List of exports shows you all the exports that have been run.
From the list page, you can:
- See an export's details by clicking on the export's name
- Download the export by clicking on the cloud beside its name
- Delete the export by clicking on the trash can beside its name
- Search for exports using the search bar
Export status is color-coded:
- Green: Completed
- Yellow: In progress
- Blue: Scheduled
- Red: Failed
Jump to:¶
Run an export¶
Running an export adds the export to your List of exports, but it does not automatically download the export. See Download an export for instructions.
Run an export based on a preset¶
1. Click New on the List of exports page. Now you can see the preset exports:
2. To run a preset export, click the run button beside the export name.
OR
2. To edit the export before running, click on the edit button beside the export name. Make your changes, and then click Start. (Use this guide to learn about making changes.)
Once you run the export, you are automatically brought back to the list of exports, and your export appears at the top of the list.
Note
Export presets are created by administrators.
Run an export based on an export you've run before¶
You can re-run an export. Running an export again does not overwrite the original export.
1. On the List of exports page, click on the name of the export you want to run again.
2. Click Restart.
3. You can make changes here (see this guide) or run as-is.
4. Click Start.
Once you run the export, you are automatically brought back to the list of exports, and your new export appears at the top of the list.
Create a new export¶
Create an export from a blank form¶
1. In List of exports, click New, then click Custom.
2. Fill in the fields.
Note
The options in the drop down menus might change based on the selections you make.
Name
Name the export.
Data Source
Select your data source from the drop-down list.
Output
Choose the file type for your data. It can be:
- Raw: If you want to download the export and import the logs into different software, choose raw. If the data source is Elasticsearch, the raw file format is .json.
- .csv: Comma-separated values
- .xlsx: Microsoft Excel format
Compression
Choose to zip your export file, or leave it uncompressed. A zipped file is compressed, and therefore smaller, so it's easier to send, and it takes up less space in your computer.
Target
Choose the target for your file. It can be:
- Download: A file you can download to your computer.
- Email: Fill in the email fields. When you run the export, the email sends. You can still download the data file any time in the List of exports.
- Jupyter: Saves the file in the Jupyter notebook, which you can access through the Tools page. You need to have administrator permissions to access the Jupyter notebook, so only choose Jupyter as the target if you're an administrator.
Separator
If you select .csv as your output, choose what character will mark the separation between each value in each log. Even though CSV means comma-separated values, you can choose to use a different separator, such as a semicolon or space.
Schedule (optional)¶
To schedule the export, rather than running it immediately, click Add schedule.
-
Schedule once:
- To run the export one time at a future time, type the desired date and time in
YYYY-MM-DD HH:mm
format, for example2023-12-31 23:59
(December 31st, 2023, at 23:59).
- To run the export one time at a future time, type the desired date and time in
-
Schedule a recurring export:
-
To set up the export to run automatically on a regular schedule, use
cron
syntax. You can learn more aboutcron
from Wikipedia, and use this tool and these examples by Cronitor to help you writecron
expressions. -
The Schedule field also supports random
R
usage and Vixie cron-style@
keyword expressions.
-
Query
Type a query to filter for certain data. The query determines which data to export, including the timeframe of the logs.
Warning
You must include a query in every export. If you run an export without a query, all of the data stored in your program will be exported with no filter for time or content. This could create an extremely large file and put strain on data storage components, and the file likely won't be useful to you or to analysts.
If you accidentally run an export without a query, you can delete the export while it's still running in the List of exports by clicking on the trash can button.
TeskaLabs LogMan.io uses the Elasticsearch Query DSL (Domain Specific Language).
Here's the full guide to the Elasticsearch Query DSL.
Example of a query:
{
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1d/d",
"lt": "now/d"
}
}
},
{
"prefix": {
"event.dataset": {
"value": "microsoft-office-365"
}
}
}
]
}
}
Query breakdown:
bool
: This tells us that the whole query is a Boolean query, which combines mutliple conditions such as "must," "should," and "must not" Here, it's using filter
to find characteristics the data must have to make it into the export. filter
can have mutliple conditions.
range
is the first filter condition. Since it refers to the field below it, which is @timestamp
, it will filter for logs based on a range of values in the timestamp field.
@timestamp
tells us that the query is filtering for time, so it will export logs from a certain timeframe.
gte
: This means "greater than or equal to," which is set to the value now-1d/d
, meaning the earliest timestamp (the first log) will be from exactly one day ago at the moment you run the export.
lt
means "less than," and it is set to now/d
, so the latest timestamp (the last log) will be the newest at the moment you run the export ("now").
prefix
is the second filter condition. It looks for logs where the value of a field, in this case event.dataset
, starts with microsoft-office-365
.
So, what does this query mean?
This export will show all logs from Microsoft Office 365 from the last 24 hours.
3. Add columns
For .csv and .xlsx files, you need to specify what columns you want to have in your document. Each column represents a data field. If you don't specify any columns, the resulting table will have all possible columns, so the table might be much bigger than you expect or need it to be.
You can see the list of all available data fields in Discover. To find which fields are relevant to the logs you're exporting, inspect an individual log in Discover.
- To add a column, click Add. Type the name of the column.
- To delete a column, click -.
- To reorder the columns, click and drag the arrows.
Warning
Pressing enter after typing a column name will run the export.
This example was downloaded from the export shown above as a .csv file, then separated into columns using the Microsoft Excel Convert Text to Columns Wizard. You can see that the columns here match the columns specified in the export.
4. Run the export by pressing Start.
Once you run the export, you are automatically brought back to the list of exports, and your export appears at the top of the list.
Download an export¶
1. On the List of exports page, click on the cloud button to download.
OR
1. On the List of exports page, click on the export's name.
2. Click Download.
Your browser should automatcially start a download.
Delete an export¶
1. On the List of exports page, click on the trash can button.
OR
1. On the List of exports page, click on the export's name.
2. Click Remove.
The export should disappear from your list.
Add an export to your library¶
Note
This feature is only available to administrators.
If you like an export you've created or edited, you can save it to your library as a preset for future use.
1. On the List of exports page, click on the export's name.
2. Click Save to Library.
When you click on New from the List of exports page, your new export preset should be in the list.