topic Re: Exporting CSV over 10,000 No OS access in Getting Data In

Exporting CSV over 10,000 No OS access

carmackd — Fri, 21 Jan 2011 05:53:58 GMT

I’m looking for a solution to export a 100,000+ row csv file without giving out OS level access to our search head (outputcsv). Some of our splunk users are involved with collecting large amounts of data for legal cases. They need quick access to their results, but we cannot give them OS level access. I’m aware of the work around that breaks your outputcsv up into 10,000 row segments so you can export them through the UI, but this method is cumbersome, and leaves a mess of csv files behind.
http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events

Does the splunk UI have the ability to access the file system and extract the files created by outputcsv in $SPLUNK_HOME/var/run/splunk/? If not, would it be possible to build a user interface within a splunk app to access the file system?

I’m open to any suggestions, but like the idea of a UI solution.

Re: Exporting CSV over 10,000 No OS access

sideview — Fri, 21 Jan 2011 06:18:44 GMT

1) create one saved search for each csv (that is just | inputcsv filename) and if they run the saved search they'll at least get taken to the search UI where they can sort and filter the data in the csv.

2) create one saved search for each csv, and also create a single custom form search view. That view gives them the option of picking a saved search in a pulldown. where these guys pick which saved search they want, (which amounts to picking the csv) and then the UI could them some simple controls to sort, page or even report on the data in that csv...

and if they can report on it such that the report has <10,000 rows we can throw an export button into that interface too.

If you're pretty familiar with the advanced XML you could take a stab at it, or (pls forgive this if it seems like a plug) you could hire a splunk consultant (like me) to knock it out.

3) If the number of csv's we're talking about is rather large or if it's just a PITA to create a saved search for each of them.... or if they need to be generated on a schedule and automatically named ( http://answers.splunk.com/questions/10552/dynamic-naming-of-files-with-outputcsv ), then it's still possible but it's a different kettle of fish and would require a little custom splunk development.

Re: Exporting CSV over 10,000 No OS access

shirolu — Tue, 24 May 2011 08:53:16 GMT

| outputlookup youcsv.csv
no limits

Re: Exporting CSV over 10,000 No OS access

mmletzko — Fri, 21 Sep 2012 13:32:10 GMT

We have a script that's executed after the search is done that SCPs the csv file to a Windows NT file server and then deletes the CSV on the Splunk Server (Solaris).

This gets the file to the user without them having to have access to the Splunk Server's OS.

Re: Exporting CSV over 10,000 No OS access

DanielFordWA — Mon, 28 Jul 2014 12:32:00 GMT

Quick note - When I use a sort command outputcsv is limited to 10,000. Don't know why but it works fine without sort.

Re: Exporting CSV over 10,000 No OS access

the_wolverine — Fri, 12 Sep 2014 17:59:09 GMT

outputcsv also work just fine after removing the sort command -- export from UI is no longer capped at 10k.