Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change the location a saved search outputs a CSV file to?

dsollen
Explorer
‎02-16-2016 08:53 AM

I have a program, already written, which ingests CSV data from a specific file hierarchy and processes it. I want to pull data out of Splunk, save it as CSV, and have it ingested by the existing program, with little modification to the existing program as possible.

I know how to create the CSV file from a Splunk search. However, that will save the results to the Splunk results directory, not to the location my existing program ingests CSV data from. Is there a way to change this to instead save my data to a directory of my choice (specifically a mounted shared directory, not relative to Splunk home directory)? I know how to derive the absolute path of the directory, However, the absolute path depends on date of data being generated, so I need to be able to programmatically generate the output location from the scan_time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jboucher_splunk
Splunk Employee
Splunk Employee
‎02-16-2016 09:28 AM

Not to my knowledge. I think that this is hardcoded. The outputcsv command doesn't permit directory separators like back-slash or forward-slash so you can't just write in a file path. The only workaround I can find is this:

You can create a script to move the file to a location of your choice. Then you can setup an alert that looks for when the saved search has completed. The alert can fire off the script which would move the file from $SPLUNK_HOME/var/run/splunk to the location of your choosing.

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Outputcsv

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-16-2016 11:10 AM

You can modify it slightly using outputlookup instead and then also with the createinapp parameter, but that is about it.

0 Karma
Reply
Solved! Jump to solution

manish_singh_77
Builder
‎11-08-2019 03:13 AM

@woodcock

I have the same query, need to redirect the output csv file to some other directory in Linux. Is there a way to do that from Splunk query? OR We will have to do this via script.

Kindly confirm.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-08-2019 12:11 PM

You can dump it to the dispatch directory with outputcsv or to the lookup subdirectory of an app with outputlookup. That's it.

0 Karma
Reply
Solved! Jump to solution
Solution

jboucher_splunk
Splunk Employee
Splunk Employee
‎02-16-2016 09:28 AM

Not to my knowledge. I think that this is hardcoded. The outputcsv command doesn't permit directory separators like back-slash or forward-slash so you can't just write in a file path. The only workaround I can find is this:

You can create a script to move the file to a location of your choice. Then you can setup an alert that looks for when the saved search has completed. The alert can fire off the script which would move the file from $SPLUNK_HOME/var/run/splunk to the location of your choosing.

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Outputcsv

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...