Getting Data In

How to change the location a saved search outputs a CSV file to?

Explorer

I have a program, already written, which ingests CSV data from a specific file hierarchy and processes it. I want to pull data out of Splunk, save it as CSV, and have it ingested by the existing program, with little modification to the existing program as possible.

I know how to create the CSV file from a Splunk search. However, that will save the results to the Splunk results directory, not to the location my existing program ingests CSV data from. Is there a way to change this to instead save my data to a directory of my choice (specifically a mounted shared directory, not relative to Splunk home directory)? I know how to derive the absolute path of the directory, However, the absolute path depends on date of data being generated, so I need to be able to programmatically generate the output location from the scan_time.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Not to my knowledge. I think that this is hardcoded. The outputcsv command doesn't permit directory separators like back-slash or forward-slash so you can't just write in a file path. The only workaround I can find is this:

You can create a script to move the file to a location of your choice. Then you can setup an alert that looks for when the saved search has completed. The alert can fire off the script which would move the file from $SPLUNK_HOME/var/run/splunk to the location of your choosing.

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Outputcsv

View solution in original post

Esteemed Legend

You can modify it slightly using outputlookup instead and then also with the createinapp parameter, but that is about it.

0 Karma

@woodcock

I have the same query, need to redirect the output csv file to some other directory in Linux. Is there a way to do that from Splunk query? OR We will have to do this via script.

Kindly confirm.

0 Karma

Esteemed Legend

You can dump it to the dispatch directory with outputcsv or to the lookup subdirectory of an app with outputlookup. That's it.

0 Karma

Splunk Employee
Splunk Employee

Not to my knowledge. I think that this is hardcoded. The outputcsv command doesn't permit directory separators like back-slash or forward-slash so you can't just write in a file path. The only workaround I can find is this:

You can create a script to move the file to a location of your choice. Then you can setup an alert that looks for when the saved search has completed. The alert can fire off the script which would move the file from $SPLUNK_HOME/var/run/splunk to the location of your choosing.

SOURCE: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Outputcsv

View solution in original post