Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we download data from splunk which uploaded earlier ?

AKG1_old1
Builder
‎05-09-2017 10:15 AM

Hi,

I have uploaded some data files to Splunk for analysis. Those files are no longer available on my server.

Is it possible to download those data files from splunk ?

Regards
Ankit

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2017 11:10 AM

The data should be available, but depending on how it was ingested, it may not be exactly the same as the original file.

Do a search for source="<my datafile>" to locate the data. You can then use the Export feature to save the results as raw events on your PC.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

adigrio
Path Finder
‎05-09-2017 11:45 AM

You can specify the search command and then pipe it to the csv output. Example:

index=syslog | head 10 | outputcsv rawsyslog.csv

This will save the first 10 records in the syslog index to the rawsyslog.csv file (CSV format) in $SPLUNK_HOME/var/run/splunk.

You can also run the splunk search from command line and export the data. This is probably the best option.

For example, the command below will retrieve the first 10 records from the syslog index and save it to a file called rawsyslog.txt. You will have to adjust your search command accordingly.

C:\Program Files\Splunk\bin>splunk search "index=syslog | head 10" -preview 0 -maxout 0 -output rawdata > rawsyslog.txt
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2017 11:10 AM

The data should be available, but depending on how it was ingested, it may not be exactly the same as the original file.

Do a search for source="<my datafile>" to locate the data. You can then use the Export feature to save the results as raw events on your PC.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...