Best Practice: How to write a query that allows export to CSV in a multi-cluster view

When working in a multi-cluster view in LogScale, there are some limitations when exporting query results to CSV files. This article explains these limitations and provides workarounds.

Let's say, for example, you are querying EAM, which results in a multi-cluster view of two distinct clusters. You want to export the results to a file, but that is not allowed because it is a multi-cluster view. You try using the #humio_cluster_id property to query one cluster, export, then query the other cluster and export again, but this does not work.

To understand why this does not work, consider the following key points about exporting from multi-cluster views:

  • Direct export of raw query results is not supported in multi-cluster views

  • To export results, you must use an aggregate function in your query

  • The limitation exists because it is not possible to stream multi-cluster search results to a file

Supported aggregate functions for export include:

  • sort() - Sorts the results by specified field

Example query using an aggregate function to enable export:

logscale
your_query 
| sort(@timestamp)

If you need to access raw data from specific clusters, you should:

  1. Access the individual cluster views directly instead of using the multi-cluster view

  2. Run your queries on each cluster separately

  3. Export the results from each cluster individually

Note

Using head() or tail() functions may not work for enabling exports in multi-cluster environments, even though they are aggregate functions.