Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding reports via the cli

David_M
Explorer
‎04-22-2025 05:19 AM

Hello,

I setup 2 reports to run early this AM.  Looks like both reports ran according to splunk.  The problem I have now is finding the actual .csv files on the splunk server so I can scp them.

Thank...

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎04-22-2025 05:25 AM

@David_M 

By default, when a Splunk report generates a CSV file (e.g., using the outputcsv command or scheduled report export), the files are saved in the $SPLUNK_HOME/var/run/splunk/csv directory on the search head where the report was executed.

$SPLUNK_HOME is typically /opt/splunk on Linux systems, so the full path would be /opt/splunk/var/run/splunk/csv/.

Navigate to this directory using a terminal:

cd /opt/splunk/var/run/splunk/csv
ls -l

Look for files with a .csv extension. The file names might correspond to the report name, search job ID, or a custom name specified in the report configuration

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv

Please refer to this for more details, as highlighted by @gcusello : 

https://community.splunk.com/t5/Getting-Data-In/Is-there-anyway-to-generate-and-store-CSV-files-in-a... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 06:23 AM

Hi @David_M 

Did you use outputcsv, or some other method for exporting the csv such as using the "Output results to lookup" alert action?

As previously mentioned - the output path for outputcsv is $SPLUNK_HOME/var/run/splunk/csv - however these files are not replicated across the cluster if you are running a SHC. 

If you're using the outputcsv, can you confirm you arent using dispatch=true ? If you are you then your job will be in $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/csv

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎04-22-2025 05:25 AM

@David_M 

By default, when a Splunk report generates a CSV file (e.g., using the outputcsv command or scheduled report export), the files are saved in the $SPLUNK_HOME/var/run/splunk/csv directory on the search head where the report was executed.

$SPLUNK_HOME is typically /opt/splunk on Linux systems, so the full path would be /opt/splunk/var/run/splunk/csv/.

Navigate to this directory using a terminal:

cd /opt/splunk/var/run/splunk/csv
ls -l

Look for files with a .csv extension. The file names might correspond to the report name, search job ID, or a custom name specified in the report configuration

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Outputcsv

Please refer to this for more details, as highlighted by @gcusello : 

https://community.splunk.com/t5/Getting-Data-In/Is-there-anyway-to-generate-and-store-CSV-files-in-a... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Solved! Jump to solution

David_M
Explorer
‎04-22-2025 06:50 AM

Hi Kiran,

Yea adding the outputcsv command fixed the issue.

 

Thanks!

David

Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎04-22-2025 09:40 AM

@David_M  Good to know that adding the outputcsv command resolved the issue.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Solved! Jump to solution

David_M
Explorer
‎04-22-2025 05:31 AM

Hi Kiran,

Well I checked the directory mentioned in the posts and the files aren't there for some reason.

David

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎04-22-2025 05:56 AM

@David_M 

Verify that the reports are configured to generate CSV files. In Splunk Web, go to Settings > Searches, Reports, and Alerts, find your reports, and check their settings.
 

you have two choices:

1) schedule an alert adding csv as attachment, to receive the csv via email.

2) you could schedule a report adding the outputcsv command at the end.

In this way, you save your report as csv in a pre-defined folder (not changeable!).

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...