Getting Data In

How do I make a report save to a share on a different server every 24 hours?

Mick
Splunk Employee
Splunk Employee

I run a report every 24 hours, and I want to make the .csv results file available to multiple users afterwards. Can I configure the report to automatically save it to an alternate location rather than the default $SPLUNK_HOME/var/run/splunk/dispatch/<search_id>/results.csv.gz?

mzax
Splunk Employee
Splunk Employee

In order to send the search results to another location, you can use the search command: outputcsv. Documented at: http://www.splunk.com/base/Documentation/latest/SearchReference/Outputcsv

keeping the saved search artifact for longer in the $SPLUNK_HOME/var/run/splunk/dispatch dir, is done using the dispatch.ttl parameter in the saved search configuration. (It can get a bit complicated if there are actions that are triggered from the search).

See: http://www.splunk.com/base/Documentation/latest/Admin/Savedsearchesconf The default value for keeping the saved searches results is twice the time period.

mayler
Path Finder

You can also configure splunk to email those .csv results every day to anyone you want. It's in the saved search, alert actions, email and include results. Or you could trigger the shell script from the saved search-no need to issue command line search.

jfraiberg
Communicator

do the search via command line and you can specify where it goes, from there you can cron something to put it where ever you want.

The end of the search command can look something like this -

-format csv > "/usr/local/reports/whatever.csv.gz"

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...