How to export CSV from Splunk to a third-party sys...

koshyk · ‎05-06-2020

We have a requirement to send Splunk processed data as a CSV to a third-party system. Currently the CSV file is sent via email, but we want it to be kept in a shared location (or folder) where Control-M (or a similar batch processing system) can move the file for other purposes.

My understanding of sending or exporting to a third-party via Splunk is the following:

(a) Could send as syslog to external system (but that will be events)
(b) Could send as alerts (again events)
(c) Could send CSV file but as email attachment

Is there an option to do option (c) like an export/dump into an external filesystem? Has anyone tried this or done a custom output export script?

richgalloway · ‎05-06-2020

Add | outputcsv foo to the end of your search to save the results to $SPLUNK_HOME/var/run/splunk/csv/foo.csv.

---
If this reply helps you, Karma would be appreciated.

koshyk · ‎05-06-2020

But that's still within Splunk's filesystem. outputcsv was ideal if it had an option for filepath

Ideally i'm looking for

|outputcsv {destination_server}:{destination_file_location}

richgalloway · ‎05-06-2020

There is no option to save files in another location. Perhaps you could make a symlink work, but I'd just have a utility monitor $SPLUNK_HOME/var/run/splunk/csv/foo.csv and move the file to the final location.

---
If this reply helps you, Karma would be appreciated.

How to export CSV from Splunk to a third-party system in batch mode?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation