Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to export and dump saved search results from Splunk 5.0.4 in CSV format to some other server location?

d_vijaya
Explorer
‎06-24-2016 07:13 AM

Hi All,

I am working on Splunk 5.0.4 in our environment. We have a requirement to export search results in CSV format from Splunk and dump it to some other server location automatically.

This file size is huge (say 1 GB), so I am not able to schedule this report using an email option.

I cannot use the outputcsv search command also because the result goes to a specific location on the Splunk server.

Could someone please assist me how to perform this activity?

Regards,
Vijaya D

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2016 11:04 AM

One solution I've used to a similar problem is to use the outputcsv command and then use a cron job to copy the CSV file from the Splunk location to the desired location. Schedule the cron job to run a few minutes after the Splunk job runs (or longer if it takes a long time to run your query).

---
If this reply helps you, Karma would be appreciated.
Reply

somesoni2
Revered Legend
‎06-24-2016 11:22 AM

I did it with a little variation. I setup an alert script in the same search to get fired after the search is completed and then scp/ftp to required location.

0 Karma
Reply

d_vijaya
Explorer
‎06-29-2016 05:10 AM

Hi,

Thanks for the reply.

I have scheduled searches on weekly basis using cron and triggered email.

May I know how to schedule cron job to copy csv file to desired location?

I am unaware of copying file to some other location suing cron job 😞

Please assist me.

Thanks,
Vijaya D

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-29-2016 07:31 AM

I assume you're running Splunk on a Linux system. If not, then cron does not apply.

Use the crontab program to create a job that executes shortly after your weekly scheduled searches complete. The job can call rsync, ftp, or any other program to transfer the file to the desired location.

If your scheduled search runs on Sunday night, for example, then you could set the cron job to run on Monday morning using

crontab -e
0 4 * * 1 rsync $SPLUNK_HOME/var/run/splunk/csv/*.csv some/other/location
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...