Sometimes it is useful to store small amounts of data outside a Splunk index. Using the inputcsv and outputcsv commands, we can store tabular data in CSV files on the filesystem.
Using CSV files to store transient data
Pre-populating a dropdown
If a dashboard contains a dynamic dropdown, you must use a search to populate the dropdown. As the amount of data increases, the query to populate the dropdown will run more and more slowly, even from a summary index. We can use a CSV file to store just the information needed, simply adding new values when they occur.
First, we build a query to generate the CSV file. This query should be run over as much data as possible:
source="impl_splunk_gen" | stats count by user | outputcsv...