Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting Data from Splunk for reporting in an external system

DanielFordWA
Contributor
‎05-29-2013 03:35 AM

I would like to extract the search results from searches performed by Splunk on a regular basis.

This data will then be added into a database which our reporting tool sits on top of (Qlikview)

I have had a look at the REST API and the CLI but I am a novice and a little confused.

I have setup all the required searches that produce the data the business would require, can someone talk me through a simple way of extracting this via REST so I can populate the data into Excel or have the data delivered in csv format.

I am doing a Proof of Concept at the moment so I am just trying to run a test to understand how it works.

Thanks,

Dan

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

barakreeves
Splunk Employee
Splunk Employee
‎05-29-2013 07:18 AM

Let's take this step-by-step. Start out with your favorite language. I will use Python.

1- Install the Python SDK; video link: https://www.youtube.com/watch?list=UUG5B6oQWWsIt-yO826IwG2Q&feature=player_detailpage&v=TUQcjSWzZg8;
Installation link: http://dev.splunk.com/goto/sdk-python

2- Connect to Splunk via the API: http://dev.splunk.com/view/SP-CAAAEE4
3- Run a simple search and display results in command line: http://dev.splunk.com/view/SP-CAAAEE5 and use "To create a basic oneshot search and display results" code example towards the bottom
4- See how the results are returned
5- From the results, modify the code to either create your own CSV or via the API

You can also use the REST API directly using curl. Here's a link with a code example: http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTsearch#search.2Fjobs.2Fexport

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution

steverimar
Explorer
‎02-15-2016 02:36 PM

We actually have a QlikView connector available for Splunk. E-mail me at steverimar@analyticaconsulting.com if you are interested. We're a QlikView and Splunk partner. -Steve

0 Karma
Reply
Solved! Jump to solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎05-29-2013 08:19 AM

This process would require an explicit search to extract data either from the Splunk UI or the REST API. Assume for example that you have a Splunk saved search named “Alert Index Capacity”. You can then use the REST API to run the search on demand.

curl -k -u admin:splunk -d  "search=|savedsearch %22Alert%3A%20Index%20Capacity%22" https://10.0.1.20:8089/services/search/jobs/

At that point the REST API will respond with something like this:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <sid>1367356709.287</sid>
</response>

To obtain the results into a CSV, then use the following:

curl -u admin:splunk -k https://10.0.1.21:8089/services/search/jobs/1367356709.287 --get -d output_mode=csv > mySplunkCSVData.csv

This should be formatted in a table format and may satisfactory for your third party tool. If you already have all of the knowledge items in Splunk, then you can use this method to extract the data.

Reply
Solved! Jump to solution

Mgrease
New Member
‎10-09-2016 01:55 PM

Do we have similar examples for wget?

0 Karma
Reply
Solved! Jump to solution
Solution

barakreeves
Splunk Employee
Splunk Employee
‎05-29-2013 07:18 AM

Let's take this step-by-step. Start out with your favorite language. I will use Python.

1- Install the Python SDK; video link: https://www.youtube.com/watch?list=UUG5B6oQWWsIt-yO826IwG2Q&feature=player_detailpage&v=TUQcjSWzZg8;
Installation link: http://dev.splunk.com/goto/sdk-python

2- Connect to Splunk via the API: http://dev.splunk.com/view/SP-CAAAEE4
3- Run a simple search and display results in command line: http://dev.splunk.com/view/SP-CAAAEE5 and use "To create a basic oneshot search and display results" code example towards the bottom
4- See how the results are returned
5- From the results, modify the code to either create your own CSV or via the API

You can also use the REST API directly using curl. Here's a link with a code example: http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTsearch#search.2Fjobs.2Fexport

Hope this helps.

Reply
Solved! Jump to solution

DanielFordWA
Contributor
‎05-29-2013 07:45 AM

Thanks,

I am doing a Proof of Concept with Splunk to sit along side our web analytics tools. I have to say Splunk is great but getting data out of it is no easy task. I would have expected to be able to query Splunk from most other tools (Excel, Access, Qlikview etc) and load the data without much effort.

I'll follow your steps and see how I go.

Thanks,

Dan

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...