https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/562516#M195632 <P>Consider running multiple searches over smaller time ranges and then combining the results.</P> Sun, 08 Aug 2021 17:07:41 GMT richgalloway 2021-08-08T17:07:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/562438#M195616 <P>I am having issues with finding a way to export two reports.</P><P>I have two reports, which I'll call search1 and search2. Both searches were run, then ran in the background. According to the jobs tab, both searches completed. The customer wanted this search run for "all-time" and thus is quite large. Search1 is 9.22GB and Search2 is 4.97GB.</P><P>The issue is getting access to the logs.</P><P>I've tried using | loadjob sid, and it just hangs and fails.</P><P>I've tried exporting from the jobs tab, and it fails.</P><P>I can't use the api, because from what I can tell, you must put the password into the search, when then makes the password searchable for anyone with access to that log.</P><P>I went to the <SPAN>$SPLUNK_HOME/var/run/splunk/dispatch</SPAN> folder and found both jobs where this link,&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/Troubleshooting/CommandlinetoolsforusewithSupport#toCsv," target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.2.1/Troubleshooting/CommandlinetoolsforusewithSupport#toCsv,</A>&nbsp;says to run "splunk cmd splunkd toCsv ./results.srs.gz". the .gz file appears to now be .zst, but I ran the command.</P><P>Search1 after a while simply said "killed".</P><P>Search2 as I'm writing this appears to be working, as it appears comma delimited text is scrolling on the console. I assume that once changed, I will be able to export this one.</P><P>So how do I export Search1 and other large files in the future? The toCsv command was the last thing I found to try. Perhaps there is a setting in a .conf file I can modify and then run something else? Any assistance is appreciated.</P> Fri, 06 Aug 2021 16:28:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/562438#M195616 XOJ 2021-08-06T16:28:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/562516#M195632 <P>Consider running multiple searches over smaller time ranges and then combining the results.</P> Sun, 08 Aug 2021 17:07:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/562516#M195632 richgalloway 2021-08-08T17:07:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/564926#M196791 <P>I hate that this is the answer. People have businesses much bigger than ours, and even they have to make tiny searches?</P><P>That being said, you are the only one that gave an answer, so I will mark it as such.</P> Thu, 26 Aug 2021 18:56:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/564926#M196791 XOJ 2021-08-26T18:56:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/564959#M196805 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237213">@XOJ</a>,</P><P>dump command may help you to export a large amount of data.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dump" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dump</A>&nbsp;</P><P>Below will create daily dump files</P><LI-CODE lang="markup">index=yourindex | eval _dstpath=strftime(_time, "%Y%m%d") | dump basefilename=search1</LI-CODE> Fri, 27 Aug 2021 03:41:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-export-large-amounts-of-data/m-p/564959#M196805 scelikok 2021-08-27T03:41:19Z