Reporting

Unable to filter CLI export

emiller42
Motivator

Hello!

I'm trying to export a subset of logs indexed on one indexer, and then import them into another. I'm attempting to use the cli export tool to do this, and am running into issues.

If I run the following:

./splunk export eventdata -index main -dir /tmp/export

then I get a successful export of everything that has been indexed by the server. Unfortunately, this is far more data than I actually want to export. To try and narrow it down, I'm using further export flags, but they don't appear to be working at all. I'm trying to get a specific set of log files from specific hosts.

Using commands like the following:

./splunk export eventdata -index main -dir /tmp/export -host HOSTNAME

./splunk export eventdata -index main -dir /tmp/export -source LOGFILEPATH

I simply get nothing exported. I've verified that the host name and logfile info is correct, so I'm at a loss as to what is causing it to return nothing. I am assuming that the -host flag is used to denote the forwarder that the logs originated from, and that the -source is the full path of the logfile. (Ex: 'D:\apache-tomcat-6.0.32\bin\server.log'. I have tried it both escaped and not)

Has anyone else run into this issue?

Thanks!

Tags (2)
1 Solution

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

View solution in original post

0 Karma

xli_splunk
Splunk Employee
Splunk Employee

I tested following commands with 4.3.3 release and both work fine:
splunk export eventdata -index main -dir /temp/events.out -source 'C:\work\test\test.log'
splunk export eventdata -index main -dir /temp/raven -host 'raven-PC'

0 Karma

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...