Splunk Enterprise Security

Retrieve/download the original source file(s) after a search

memphisft3
Engager

Is there a way to download the sourcefile in the web interface or does it have to be done through the CLI? If it is done through the CLI, what would be the best command to use for this? I am new to SPLUNK, so please keep it simple stupid for a beginner.
Thanks

dwaddle
SplunkTrust
SplunkTrust

There is no way to download the original, identical, source file for an event. When data is ingested into Splunk, the original file is shredded into a series of events. You can run a search to "read all of the events that were in this file", but that does not necessarily give you the same, original file back. Let me make an example - say you have a file named sunday.txt that has 3 events in it:

2018-06-17 10:18:50  This is the first event
2018-06-17 10:18:52  This is the second event
2018-06-17 10:18:51  This is the third event

Now, notice that "something odd happened" and the "third event" has a timestamp that is before the second one. This can happen, sometimes, depending on the logging library in use, the threading model of the application, the granularity of the timestamps. If you go into Splunk and do something like:

index=stuff source=sunday.txt host=server1 | reverse

Splunk will return to you those three events, sorted in time order, like so:

2018-06-17 10:18:50  This is the first event
2018-06-17 10:18:51  This is the third event
2018-06-17 10:18:52  This is the second event

Even if you export this out of Splunk, not the same file anymore! The key thing here is that Splunk is a time series index - that means that time is a primary dimension of the data. When Splunk stores data in its index, each event from the original source stands alone. It does not have anything linking it to "this was the event before me" or "this is the event after me" ... only time!

You can run a search to get back the same set of events that were in a file, and then export that to disk. But, the original file's stream of bytes from beginning to end has been scattered and is not reconstructible.

0 Karma

adonio
Ultra Champion

what do you mean by source file?
if you want to download the results of a search you can export, email and more.
if you need the raw data (in splunk not on the source) try and maybe use the table command on _raw field

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...