topic Re: Build data from index in Splunk Enterprise

Build data from index

thirumalreddyb — Mon, 18 Nov 2013 19:57:55 GMT

Hi,

I have an interesting question put by my client. Here in this case splunk listens to a port and starts indexing the streaming data. Now that an index is built and there is no physical storage of files(Source), the other tools want to access the physical files. How do I build physical files AUTOMATICALLY from the index.

Note : I tried exporting the results of a search MANUALLY and that worked fine irrespective of the file size. Please correct me for the size factor.

Thanks in advance.

Re: Build data from index

lukejadamec — Mon, 18 Nov 2013 20:14:31 GMT

You could create a search that ends with

| table _time,_raw | outputcsv csvfilename

This will create a csv file in the splunk\var\run\splunk directory that includes the raw data.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Outputcsv

Re: Build data from index

somesoni2 — Mon, 18 Nov 2013 20:32:30 GMT

Alternatively, if you looking for some script automation for the same, you can use curl command to execute and export the search result (preferred for large no of rows). This command is availabe in Linux/Unix and downloadable versions available for windows.

curl -k -u adminUserName:password https://<<yourHostName:8089/services/search/jobs/export --data-urlencode search='search <<your base search>> | table index,host,source,sourcetype,_raw' -d output_mode=csv -d earliest_time='-2d@d' -d latest_time='-1d@d' -o <<yourfilename>>.csv

Re: Build data from index

thirumalreddyb — Mon, 18 Nov 2013 20:35:49 GMT

Thanks for your time. I really appreciate.

Re: Build data from index

thirumalreddyb — Mon, 18 Nov 2013 20:36:24 GMT

Thank you. I was exactly looking for something like this.