How do I make a report save to a share on a differ...

Mick · ‎04-13-2010

I run a report every 24 hours, and I want to make the .csv results file available to multiple users afterwards. Can I configure the report to automatically save it to an alternate location rather than the default $SPLUNK_HOME/var/run/splunk/dispatch/<search_id>/results.csv.gz?

mzax · ‎06-10-2010

In order to send the search results to another location, you can use the search command: outputcsv. Documented at: http://www.splunk.com/base/Documentation/latest/SearchReference/Outputcsv

keeping the saved search artifact for longer in the $SPLUNK_HOME/var/run/splunk/dispatch dir, is done using the dispatch.ttl parameter in the saved search configuration. (It can get a bit complicated if there are actions that are triggered from the search).

See: http://www.splunk.com/base/Documentation/latest/Admin/Savedsearchesconf The default value for keeping the saved searches results is twice the time period.

mayler · ‎04-13-2010

You can also configure splunk to email those .csv results every day to anyone you want. It's in the saved search, alert actions, email and include results. Or you could trigger the shell script from the saved search-no need to issue command line search.

jfraiberg · ‎04-13-2010

do the search via command line and you can specify where it goes, from there you can cron something to put it where ever you want.

The end of the search command can look something like this -

-format csv > "/usr/local/reports/whatever.csv.gz"

How do I make a report save to a share on a different server every 24 hours?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk