Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exporting CSV over 10,000 No OS access

carmackd
Communicator
‎01-20-2011 09:53 PM

I’m looking for a solution to export a 100,000+ row csv file without giving out OS level access to our search head (outputcsv). Some of our splunk users are involved with collecting large amounts of data for legal cases. They need quick access to their results, but we cannot give them OS level access. I’m aware of the work around that breaks your outputcsv up into 10,000 row segments so you can export them through the UI, but this method is cumbersome, and leaves a mess of csv files behind.
http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events

Does the splunk UI have the ability to access the file system and extract the files created by outputcsv in $SPLUNK_HOME/var/run/splunk/? If not, would it be possible to build a user interface within a splunk app to access the file system?

I’m open to any suggestions, but like the idea of a UI solution.

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 10:18 PM

1) create one saved search for each csv (that is just | inputcsv filename) and if they run the saved search they'll at least get taken to the search UI where they can sort and filter the data in the csv.

2) create one saved search for each csv, and also create a single custom form search view. That view gives them the option of picking a saved search in a pulldown. where these guys pick which saved search they want, (which amounts to picking the csv) and then the UI could them some simple controls to sort, page or even report on the data in that csv...

and if they can report on it such that the report has <10,000 rows we can throw an export button into that interface too.

If you're pretty familiar with the advanced XML you could take a stab at it, or (pls forgive this if it seems like a plug) you could hire a splunk consultant (like me) to knock it out.

3) If the number of csv's we're talking about is rather large or if it's just a PITA to create a saved search for each of them.... or if they need to be generated on a schedule and automatically named ( http://answers.splunk.com/questions/10552/dynamic-naming-of-files-with-outputcsv ), then it's still possible but it's a different kettle of fish and would require a little custom splunk development.

View solution in original post

Reply
Solved! Jump to solution

mmletzko
Path Finder
‎09-21-2012 06:32 AM

We have a script that's executed after the search is done that SCPs the csv file to a Windows NT file server and then deletes the CSV on the Splunk Server (Solaris).

This gets the file to the user without them having to have access to the Splunk Server's OS.

Reply
Solved! Jump to solution

shirolu
Explorer
‎05-24-2011 01:53 AM

| outputlookup youcsv.csv
no limits

Reply
Solved! Jump to solution

the_wolverine
Champion
‎09-12-2014 10:59 AM

outputcsv also work just fine after removing the sort command -- export from UI is no longer capped at 10k.

0 Karma
Reply
Solved! Jump to solution

DanielFordWA
Contributor
‎07-28-2014 05:32 AM

Quick note - When I use a sort command outputcsv is limited to 10,000. Don't know why but it works fine without sort.

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-20-2011 10:18 PM

1) create one saved search for each csv (that is just | inputcsv filename) and if they run the saved search they'll at least get taken to the search UI where they can sort and filter the data in the csv.

2) create one saved search for each csv, and also create a single custom form search view. That view gives them the option of picking a saved search in a pulldown. where these guys pick which saved search they want, (which amounts to picking the csv) and then the UI could them some simple controls to sort, page or even report on the data in that csv...

and if they can report on it such that the report has <10,000 rows we can throw an export button into that interface too.

If you're pretty familiar with the advanced XML you could take a stab at it, or (pls forgive this if it seems like a plug) you could hire a splunk consultant (like me) to knock it out.

3) If the number of csv's we're talking about is rather large or if it's just a PITA to create a saved search for each of them.... or if they need to be generated on a schedule and automatically named ( http://answers.splunk.com/questions/10552/dynamic-naming-of-files-with-outputcsv ), then it's still possible but it's a different kettle of fish and would require a little custom splunk development.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...