Splunk Search

Saving search results on a network share (Linux SH to Windows network share drive)

tmaltizo
Path Finder

I'm trying to automate saving search results for use with other programs. I'm not a Splunk admin, but I want to be able to save my search results on a Windows network share for me to access. The Splunk search head (SH) is on Linux.

Search results are saved on the Linux SH at /opt/splunk/etc/apps/search/lookups/awproxy_data.csv
via " | outputlookup awproxy_data.csv" to save this file.

Can I use the "Edit Schedule" option to configure the search to run a script where it can copy this file from the Splunk linux sh to a network share drive, provided the Linux box can communicate with the Windows drive? If so, how can this be scripted? I'm assuming I need an admin to save the script to $SPLUNK_HOME/bin/scripts or $SPLUNK_HOME/etc/search/bin/scripts as the UI noted.

Are there any other options where I don't need to involve a Splunk admin, besides emailing my search results?

Any help is appreciated. Thanks!
Trista

0 Karma

woodcock
Esteemed Legend

I once created such a facility using a cron job that ran every hour on the Linux-based search head that did ls $SPLUNK_HOME/etc/apps/*/lookups/CopyMeToShare_*.csv and moved each file that matched to the crossmounted NFS share drive and changed the name by removing the CopyMeToShare_ prefix.

In this manner, you just tell people to name there files with the prefix and wait up to an hour for the magic to happen after calling ... | outputcsv CopyMeToShare_MyRealFileName.csv

0 Karma

tmaltizo
Path Finder

Thanks @woodcock!
We are working on the authentication portion in order to copy the file from the SH to to NFS share. Do you have an example of what was scripted in the cron job?

0 Karma

woodcock
Esteemed Legend

It was just simple glue scripting, probably bash or perl. It is maybe 5 lines of work, but I do not have a copy. The key is the prefix.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...