Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export search results to a folder outside splunk

DineshElumalai
Explorer
‎07-02-2025 02:47 AM

Hello Everyone

I need to export the search results to a folder outside the Splunk. To do this job we've exportresults in Splunk which works fine. Basically in my scenario, it is a saved search which runs every week and data has been exported to the folder but it creates a new folder. I need to append the search results to the existing file or else I need to replace the file with the new data. 

If I get result for any one of the things mentioned above. I'm good. Thanks.

Labels (2)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎07-02-2025 03:14 AM

@DineshElumalai 
Are you using splunk native csv export? or using any script or rest api to export the results?
If you are using outputcsv i agree with @gcusello  export the result to splunk folder and create a script to move to your folder.

Also you can consider using exporting data using rest api with curl.
curl -k -u <username>:<password> https://<splunk-host>:8089/services/search/jobs/export \
-d search="search index=test sourcetype=test earliest=-7d@d latest=now" \
-d output_mode=csv > /external/path/to/destination/results.csv

To append new results to an existing file, use >> instead of >

curl -k -u <username>:<password> https://<splunk-host>:8089/services/search/jobs/export \
-d search="search savedsearch test_weekly_export" \
-d output_mode=csv >> /path/to/your/target/folder/test_report.csv


#https://help.splunk.com/en/splunk-enterprise/search/search-manual/9.3/export-search-results/export-d...

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-02-2025 03:08 AM

You can use this app - https://splunkbase.splunk.com/app/5738

But it seems to have support for many destinations... except local file. You can get around it by connecting back to the host you're running your Splunk instance on.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-02-2025 02:59 AM

Hi @DineshElumalai ,

I suppose that you're speaking of exportcsv, that is usually exported in the $SPLUNK_HOME/var/run/splunk/csv folder (export folder isn't configurable) and than you can use it.

If you export using the same name the file is overwritten, if the file is saved in a different folder maybe there is some customization (e.g. a script that moves the file).

Ciao.

Giuseppe

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...