Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I extend the GUI to export log events to user's PC?

ben363
Path Finder
‎05-20-2014 08:15 PM

I've written a script to export log events. The script currently writes the result to the local disk.

But, most of our users don't have shell accounts.

Is there a way in Splunk for users to export and download the results without having to have access to the Splunk box?

Is it possible add my script as an option to the existing "Export Results" window, or as a different button, or something?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-22-2014 03:15 AM

Ah. As a simple workaround you could have your script produce the export in a directory accessible by the Splunk webserver (etc/apps/blah/static for example) and display a link after the export for the user to download from.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-20-2014 12:34 AM

To make the link more clickable you could produce a file name in the script and use that to specify the drilldown target: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/Dynamicdrilldownindashboardsandforms#Form_link...

0 Karma
Reply

ben363
Path Finder
‎06-19-2014 10:01 PM

cont...

Using the regular export raw format works, as you say, depending on what you want to export. Basically, it has to be close enough to Splunk's usual CSV format, or Splunk gets unhappy: "did not return events in descending time order, as expected".

So marked up .csv could work, but if you wanted a more different file format, say .rtf, no luck.

0 Karma
Reply

ben363
Path Finder
‎06-19-2014 09:58 PM

Exporting to static works, but displaying the link to it doesn't.

Having created splunk/etc/system/static/tmp/blah.blah, it can be read by pointing a browser at ...:8089/static/tmp/blah.blah.

But it's not obvious how to export that as a link. If the script returns a link, then splunk displays that link, but as text, not as a hyperlink. Clicking on it takes the user back to the original search, it doesn't follow the link.

The user can cut and paste, or if the filename is predictable, the user can be told what to type, which could sort of work, but isn't nice.

...cont

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-22-2014 08:11 AM

Depending on what you want to export and how, you might also be able to put the format conversion into a custom search command and use the regular export button's raw events format.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-22-2014 05:15 AM

Splunk itself does something similar for packaging apps: http://docs.splunk.com/Documentation/Splunk/6.1/RESTAPI/RESTapps#apps.2Flocal.2F.7Bname.7D.2Fpackage

0 Karma
Reply

ben363
Path Finder
‎05-22-2014 05:13 AM

That could work nicely...

0 Karma
Reply

ben363
Path Finder
‎05-22-2014 12:46 AM

I need to export in a custom format.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-21-2014 04:27 PM

What's wrong with the standard export button in the regular search UI?

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...