Hi All,
I am working on Splunk 5.0.4 in our environment. We have a requirement to export search results in CSV format from Splunk and dump it to some other server location automatically.
This file size is huge (say 1 GB), so I am not able to schedule this report using an email option.
I cannot use the outputcsv search command also because the result goes to a specific location on the Splunk server.
Could someone please assist me how to perform this activity?
Regards,
Vijaya D
One solution I've used to a similar problem is to use the outputcsv
command and then use a cron job to copy the CSV file from the Splunk location to the desired location. Schedule the cron job to run a few minutes after the Splunk job runs (or longer if it takes a long time to run your query).
I did it with a little variation. I setup an alert script in the same search to get fired after the search is completed and then scp/ftp to required location.
Hi,
Thanks for the reply.
I have scheduled searches on weekly basis using cron and triggered email.
May I know how to schedule cron job to copy csv file to desired location?
I am unaware of copying file to some other location suing cron job 😞
Please assist me.
Thanks,
Vijaya D
I assume you're running Splunk on a Linux system. If not, then cron does not apply.
Use the crontab program to create a job that executes shortly after your weekly scheduled searches complete. The job can call rsync, ftp, or any other program to transfer the file to the desired location.
If your scheduled search runs on Sunday night, for example, then you could set the cron job to run on Monday morning using
crontab -e
0 4 * * 1 rsync $SPLUNK_HOME/var/run/splunk/csv/*.csv some/other/location