All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exporting Data to S3

david_taylor
New Member
‎11-01-2024 03:32 PM

Hi,

I have a splunk server that has tonnes of data in it. What we would like to do is have a system on a dedicated search head, that does a search lookup, then exports the data it finds to an S3 bucket for another system to ingest and do analysis on.

I have looked at several adds including Export Everything, and S3 Uploader for Splunk, but neither of them have clear instructions and I am having issues.

Are there any resources that are clear on how to setup the connection to export search results from Splunk into an S3 bucket?

Labels (1)
Labels
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎11-06-2024 06:38 PM

Hint: check out the splunk dump command. 

Assuming this is for already indexed data and depending on how much data your searches return this can be a quick and dirty way to dump to SH local disk then you can just have some process run the aws s3 cp commands. 

The benefit of this is you can get formatted output with fields you want to retain in the plaintext data that will end up in the files. also can be compressed and files can be rolled, etc. Can also be triggered via api or federated search. 

Downside, depending on the definition of "tonnes" and how much time those tonnes span, the searches may need to be well thought out and broken down into chunks of time.
Command is marked as "internal" unsupported, but depending on your needs may be fine. 
Requires single long running search that could fail.
This is where something like posting the job then programmatically pulling down the results and validating with some logic might be more robust depending on your needs. 

Other options would likely have you looking at surgery with Splunk formatted buckets which, is probably lowerl level then you need/want to go if some other system needs to eat it. 

If this is also new data streaming in, id be looking at Ingest Actions to output to S3. 

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...