Reporting

Unable to filter CLI export

emiller42
Motivator

Hello!

I'm trying to export a subset of logs indexed on one indexer, and then import them into another. I'm attempting to use the cli export tool to do this, and am running into issues.

If I run the following:

./splunk export eventdata -index main -dir /tmp/export

then I get a successful export of everything that has been indexed by the server. Unfortunately, this is far more data than I actually want to export. To try and narrow it down, I'm using further export flags, but they don't appear to be working at all. I'm trying to get a specific set of log files from specific hosts.

Using commands like the following:

./splunk export eventdata -index main -dir /tmp/export -host HOSTNAME

./splunk export eventdata -index main -dir /tmp/export -source LOGFILEPATH

I simply get nothing exported. I've verified that the host name and logfile info is correct, so I'm at a loss as to what is causing it to return nothing. I am assuming that the -host flag is used to denote the forwarder that the logs originated from, and that the -source is the full path of the logfile. (Ex: 'D:\apache-tomcat-6.0.32\bin\server.log'. I have tried it both escaped and not)

Has anyone else run into this issue?

Thanks!

Tags (2)
1 Solution

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

View solution in original post

0 Karma

xli_splunk
Splunk Employee
Splunk Employee

I tested following commands with 4.3.3 release and both work fine:
splunk export eventdata -index main -dir /temp/events.out -source 'C:\work\test\test.log'
splunk export eventdata -index main -dir /temp/raven -host 'raven-PC'

0 Karma

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...