Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Unable to filter CLI export

emiller42
Motivator
‎11-08-2011 10:50 AM

Hello!

I'm trying to export a subset of logs indexed on one indexer, and then import them into another. I'm attempting to use the cli export tool to do this, and am running into issues.

If I run the following:

./splunk export eventdata -index main -dir /tmp/export

then I get a successful export of everything that has been indexed by the server. Unfortunately, this is far more data than I actually want to export. To try and narrow it down, I'm using further export flags, but they don't appear to be working at all. I'm trying to get a specific set of log files from specific hosts.

Using commands like the following:

./splunk export eventdata -index main -dir /tmp/export -host HOSTNAME

./splunk export eventdata -index main -dir /tmp/export -source LOGFILEPATH

I simply get nothing exported. I've verified that the host name and logfile info is correct, so I'm at a loss as to what is causing it to return nothing. I am assuming that the -host flag is used to denote the forwarder that the logs originated from, and that the -source is the full path of the logfile. (Ex: 'D:\apache-tomcat-6.0.32\bin\server.log'. I have tried it both escaped and not)

Has anyone else run into this issue?

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

alexiri
Communicator
‎12-15-2011 08:37 AM

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

xli_splunk
Splunk Employee
Splunk Employee
‎07-06-2012 01:02 PM

I tested following commands with 4.3.3 release and both work fine:
splunk export eventdata -index main -dir /temp/events.out -source 'C:\work\test\test.log'
splunk export eventdata -index main -dir /temp/raven -host 'raven-PC'

0 Karma
Reply
Solved! Jump to solution
Solution

alexiri
Communicator
‎12-15-2011 08:37 AM

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...