https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265753#M5153 <P>This technique worked very well. I am also able to do a normal export without having to fetch data manually from /dispatch. Thank you, Burch!</P> Mon, 08 Feb 2016 14:22:53 GMT _gkollias 2016-02-08T14:22:53Z https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265750#M5150 <P>I’m trying to find a way that I can export a very large data set without bringing down any search heads (which I already learned the hard way). Even 10 days of data produces around 10M rows and Splunk isn't able to handle that size of an export. </P> <P>When I use the outputcsv command, I’m finding that the large output gets replicated in that SH's searchpeer bundles. This results in end users not being able to pull up any data when running searches on that SH. I thought I could simply export it and move it to /tmp/ before anything squirrely occurred.</P> <P>Do you have any ideas on how else I can export large data sets from Splunk? Here is the search:</P> <PRE><CODE>(index=1) OR (index=2) OR (index=3) | table various field names </CODE></PRE> <P>Thanks in Advance</P> Wed, 03 Feb 2016 15:35:07 GMT https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265750#M5150 _gkollias 2016-02-03T15:35:07Z https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265751#M5151 <P>Try <CODE>dump</CODE> (<A href="http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Dump">dump</A>) command </P> <P>OR</P> <P>using Rest : <A href="http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/">http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/</A></P> <P>Also refer : <A href="https://answers.splunk.com/answers/172454/what-are-my-options-to-export-large-amounts-of-spl.html">https://answers.splunk.com/answers/172454/what-are-my-options-to-export-large-amounts-of-spl.html</A></P> Wed, 03 Feb 2016 17:07:57 GMT https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265751#M5151 renjith_nair 2016-02-03T17:07:57Z https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265752#M5152 <P>It sounds like you're trying to use output.csv. If this is a onetime thing, then theoretically I think you can simply run the search the produces the table, then go to the dispatch directory to find the results and download them. Be sure to do it quickly since the job may only persist for ten minutes.</P> <P>Additionally, you can improve the performance of the search by running <CODE>stats</CODE> instead of <CODE>table</CODE>:</P> <PRE><CODE>(index=1) OR (index=2) OR (index=3) | stats count by various field names | fields - count </CODE></PRE> <P>I believe <CODE>table</CODE> is a streaming command and therefore returns all results to the search heads for processing. That's a HUGE memory footprint. <CODE>stats</CODE> simply tells the indexers to only send the fields of concern back to the search head. You can run <CODE>sistats</CODE> to get an idea of what is returned. You'll notice its much less data than all event's payloads.</P> <P>I believe both the <CODE>stats</CODE> usage and fetching from the dispatch should address your issue.</P> Thu, 04 Feb 2016 23:13:52 GMT https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265752#M5152 sloshburch 2016-02-04T23:13:52Z https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265753#M5153 <P>This technique worked very well. I am also able to do a normal export without having to fetch data manually from /dispatch. Thank you, Burch!</P> Mon, 08 Feb 2016 14:22:53 GMT https://community.splunk.com/t5/Reporting/How-to-export-very-large-datasets-from-Splunk/m-p/265753#M5153 _gkollias 2016-02-08T14:22:53Z