topic Re: Export raw logs from specific time in Splunk Search

Is there a way to export raw logs from specific time?

tb582 — Thu, 29 Dec 2022 03:19:38 GMT

I have a specific source type and hosts that I want to export the raw logs for the past 24h is there a way to do that via the ui as I do not have admin access.

Re: Export raw logs from specific time

Damien_Dallimor — Fri, 20 Apr 2012 01:53:29 GMT

You can do something like this to roughly achieve what you are trying to do via Splunk Web.

Replace sourcetype and host with your actual search values.

sourcetype=foo host=goo | table _raw | outputcsv rawdump.csv

The file will get written to $SPLUNK_HOME/var/run/splunk

Re: Export raw logs from specific time

tb582 — Fri, 20 Apr 2012 01:58:18 GMT

But I still need access to that location on the spunk server? Seems like it would be a simple thing for slunk to be able to do. Often times its nessicary to send logs to the third party app developers so that they cam diagnose issues.

Re: Export raw logs from specific time

Damien_Dallimor — Fri, 20 Apr 2012 02:34:45 GMT

Perform your search on required sourcetype(s) and host(s)

Then navigate to Export -> Export Results

Choose Format=Raw Events and click on "Export" to save a txt file of the raw events.

There is "Max # of results to export " option where you can select "unlimited"

Re: Export raw logs from specific time

tb582 — Fri, 20 Apr 2012 22:19:19 GMT

Only exports 10k lines that's no good

Re: Export raw logs from specific time

Damien_Dallimor — Sun, 22 Apr 2012 03:17:26 GMT

There is "Max # of results to export " option where you can select "unlimited"

Note : Splunk 4.3

Re: Export raw logs from specific time

ianmaddox4bookr — Wed, 23 May 2012 20:36:50 GMT

Here's a gzipped dump of everything past a certain timestamp that you run from the linux command line:

sudo /opt/splunk/bin/splunk search "sourcetype=apache_access _time > 1335337200" -preview 0 -maxout 0 -output rawdata | gzip > access_custom.apr-may2012.gz

Re: Export raw logs from specific time

shawngarrettsgp — Wed, 13 Apr 2016 16:17:34 GMT

Yeah agreed, the "table _raw" solution did not work for me at all in 6.2.0, it looks like it would by populating stats but when I hit "export" then did csv it just gave me a file of timestamps.

Following the CLI export example though got it done.
http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Exportsearchresults

Re: Export raw logs from specific time

vnguyen46 — Tue, 02 Jun 2020 00:46:36 GMT

This is a good scripting approach to export large search results.
This is another example of scripting: splunk search "index=_internal earliest=09/14/2014:23:59:00 latest=09/16/2014:01:00:00 " -output rawdata -maxout 200000 > c:/test123.dmp

Thanks,

Re: Export raw logs from specific time

thambisetty — Mon, 26 Dec 2022 04:07:21 GMT

From UI:

you can try dump command. choose the time range for which you want to export the logs. Make sure you have enough storage available in the server.

index=<index_name> | dump basefilename=dump_<index_name>

basefilename will be saved under $SPLUNK_HOME/var/run/splunk/dispatch/<search_job_id>/dump/basefilename_<some_number>_<hour>.raw.gz

Note: Splunk generates 1 dump for 1 hour. if you have selected 24hours time range then you will see 24 or 25 files.

Re: Export raw logs from specific time

kiranshaw — Thu, 23 Mar 2023 12:22:25 GMT

@Damien_Dallimor Thanks man, this worked perfectly. Youre a rockstar! I want to add that I was able to set the host name using regular expression in path and created multiple indices by recreating the folder structure of the raw logs thanks to your method. Worked like a charm 👍 Thanks once again.