Is there a good way to move events between Splunk instances (besides moving entire buckets)?
I'm working on some dashboards with someone outside our enterprise, so them accessing our indexers is not a possibility. I've tried do a search to extract the test data, use the table command to show the _time and _raw fields, and export that as a CSV.
That works for some stuff, but the import fails if the events are multiline.
Moving entire buckets is not a good solution: there is a lot of data in that index that is irrelevant to the recipient.