Solved: Can we download data from splunk which uploaded ea...

AKG1_old1 · ‎05-09-2017

Hi,

I have uploaded some data files to Splunk for analysis. Those files are no longer available on my server.

Is it possible to download those data files from splunk ?

Regards
Ankit

richgalloway · ‎05-09-2017

The data should be available, but depending on how it was ingested, it may not be exactly the same as the original file.

Do a search for source="<my datafile>" to locate the data. You can then use the Export feature to save the results as raw events on your PC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

adigrio · ‎05-09-2017

You can specify the search command and then pipe it to the csv output. Example:

index=syslog | head 10 | outputcsv rawsyslog.csv

This will save the first 10 records in the syslog index to the rawsyslog.csv file (CSV format) in $SPLUNK_HOME/var/run/splunk.

You can also run the splunk search from command line and export the data. This is probably the best option.

For example, the command below will retrieve the first 10 records from the syslog index and save it to a file called rawsyslog.txt. You will have to adjust your search command accordingly.

C:\Program Files\Splunk\bin>splunk search "index=syslog | head 10" -preview 0 -maxout 0 -output rawdata > rawsyslog.txt

richgalloway · ‎05-09-2017

The data should be available, but depending on how it was ingested, it may not be exactly the same as the original file.

Do a search for source="<my datafile>" to locate the data. You can then use the Export feature to save the results as raw events on your PC.

---
If this reply helps you, Karma would be appreciated.

Can we download data from splunk which uploaded earlier ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life