Getting Data In

How to export and dump saved search results from Splunk 5.0.4 in CSV format to some other server location?

Explorer

Hi All,

I am working on Splunk 5.0.4 in our environment. We have a requirement to export search results in CSV format from Splunk and dump it to some other server location automatically.

This file size is huge (say 1 GB), so I am not able to schedule this report using an email option.

I cannot use the outputcsv search command also because the result goes to a specific location on the Splunk server.

Could someone please assist me how to perform this activity?

Regards,
Vijaya D

0 Karma

SplunkTrust
SplunkTrust

One solution I've used to a similar problem is to use the outputcsv command and then use a cron job to copy the CSV file from the Splunk location to the desired location. Schedule the cron job to run a few minutes after the Splunk job runs (or longer if it takes a long time to run your query).

---
If this reply helps you, an upvote would be appreciated.

SplunkTrust
SplunkTrust

I did it with a little variation. I setup an alert script in the same search to get fired after the search is completed and then scp/ftp to required location.

0 Karma

Explorer

Hi,

Thanks for the reply.

I have scheduled searches on weekly basis using cron and triggered email.

May I know how to schedule cron job to copy csv file to desired location?

I am unaware of copying file to some other location suing cron job 😞

Please assist me.

Thanks,
Vijaya D

0 Karma

SplunkTrust
SplunkTrust

I assume you're running Splunk on a Linux system. If not, then cron does not apply.

Use the crontab program to create a job that executes shortly after your weekly scheduled searches complete. The job can call rsync, ftp, or any other program to transfer the file to the desired location.

If your scheduled search runs on Sunday night, for example, then you could set the cron job to run on Monday morning using

crontab -e
0 4 * * 1 rsync $SPLUNK_HOME/var/run/splunk/csv/*.csv some/other/location
---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!