Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding reports via the cli

David_M
Explorer
‎04-22-2025 05:19 AM

Hello,

I setup 2 reports to run early this AM.  Looks like both reports ran according to splunk.  The problem I have now is finding the actual .csv files on the splunk server so I can scp them.

Thank...

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎04-22-2025 05:25 AM

@David_M 

By default, when a Splunk report generates a CSV file (e.g., using the outputcsv command or scheduled report export), the files are saved in the $SPLUNK_HOME/var/run/splunk/csv directory on the search head where the report was executed.

$SPLUNK_HOME is typically /opt/splunk on Linux systems, so the full path would be /opt/splunk/var/run/splunk/csv/.

Navigate to this directory using a terminal:

cd /opt/splunk/var/run/splunk/csv
ls -l

Look for files with a .csv extension. The file names might correspond to the report name, search job ID, or a custom name specified in the report configuration

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv

Please refer to this for more details, as highlighted by @gcusello : 

https://community.splunk.com/t5/Getting-Data-In/Is-there-anyway-to-generate-and-store-CSV-files-in-a... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 06:23 AM

Hi @David_M 

Did you use outputcsv, or some other method for exporting the csv such as using the "Output results to lookup" alert action?

As previously mentioned - the output path for outputcsv is $SPLUNK_HOME/var/run/splunk/csv - however these files are not replicated across the cluster if you are running a SHC. 

If you're using the outputcsv, can you confirm you arent using dispatch=true ? If you are you then your job will be in $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/csv

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎04-22-2025 05:25 AM

@David_M 

By default, when a Splunk report generates a CSV file (e.g., using the outputcsv command or scheduled report export), the files are saved in the $SPLUNK_HOME/var/run/splunk/csv directory on the search head where the report was executed.

$SPLUNK_HOME is typically /opt/splunk on Linux systems, so the full path would be /opt/splunk/var/run/splunk/csv/.

Navigate to this directory using a terminal:

cd /opt/splunk/var/run/splunk/csv
ls -l

Look for files with a .csv extension. The file names might correspond to the report name, search job ID, or a custom name specified in the report configuration

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv

Please refer to this for more details, as highlighted by @gcusello : 

https://community.splunk.com/t5/Getting-Data-In/Is-there-anyway-to-generate-and-store-CSV-files-in-a... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

David_M
Explorer
‎04-22-2025 06:50 AM

Hi Kiran,

Yea adding the outputcsv command fixed the issue.

 

Thanks!

David

Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎04-22-2025 09:40 AM

@David_M  Good to know that adding the outputcsv command resolved the issue.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

David_M
Explorer
‎04-22-2025 05:31 AM

Hi Kiran,

Well I checked the directory mentioned in the posts and the files aren't there for some reason.

David

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎04-22-2025 05:56 AM

@David_M 

Verify that the reports are configured to generate CSV files. In Splunk Web, go to Settings > Searches, Reports, and Alerts, find your reports, and check their settings.
 

you have two choices:

1) schedule an alert adding csv as attachment, to receive the csv via email.

2) you could schedule a report adding the outputcsv command at the end.

In this way, you save your report as csv in a pre-defined folder (not changeable!).

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...