Solved: Export results to .txt

aymericbrun · ‎05-19-2011

Hi,

I was wondering if it's possible to export search and table results in a txt file ? (with a script, a command, ...)

I've seen that was possible to export in json, xml and csv, but not in a txt file.

Thanks

bwooden · ‎05-19-2011

There are a few ways to do it.

From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv.

From the search language, there are several ways to do it as well. Here is one example that will export to a text file, $SPLUNK_HOME/var/run/splunk/results.txt

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

View solution in original post

aymericbrun · ‎05-23-2011

Thank you for your quick answer, but the second command you wrote doesn't work. In fact, it works better than your first command, but the results are not appended to the existing results.txt. Splunk keeps creating a new "results.txt" witch contains the results of the last search, results are not added in the existing file.

Here's what i wrote:

Have you an idea ?

Extra : I have a second problem, the search can't finalize because "subsearch auto-finalized after time limit (30 seconds) reached". I search how to disable this but i can't find anything !

aymericbrun · ‎05-23-2011

Thank you very much for your help! Now it works really well (thanks to your last answer)

bwooden · ‎05-23-2011

You can prepend instead of append to eliminate the subsearch. NB: In below text, due to comment formatting, replace the two instances of ~ with a _

aymericbrun · ‎05-20-2011

I have another question 🙂

Everytime i do that command, a new "results.txt" is created, witch replace (and erase) the last "results.txt". Is it possible to write at the end of this file ?

When i start this search, i'd like the results be added at the end of the file, to have a bigger and bigger file everytime i start the search.

Regards

vkakani60 · ‎09-08-2016

| outputcsv append=true create_empty=false results

here the search results will be saved in resutls.csv under $SPLUNK_HOME/var/run/*.csv

bwooden · ‎05-23-2011

The above comment should have a '_' prefix before the xml and the asterik but were used to italicize the text between

bwooden · ‎05-20-2011

outputcsv doesn't currently support an append. So we use it as an input, add a search to it, and the write the results out again...

aymericbrun · ‎05-20-2011

Works perfectly, great !

Thank you very much

bwooden · ‎05-19-2011

There are a few ways to do it.

From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv.

From the search language, there are several ways to do it as well. Here is one example that will export to a text file, $SPLUNK_HOME/var/run/splunk/results.txt

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

vkakani60 · ‎09-08-2016

But even if you mention results.txt the output would result.txt.csv. I faced the same situation.
The output of the|outputcsv is always .csv ?

miwalker · ‎06-26-2012

+2 for you, works like a champ. Thanks!

simonattardGO · ‎02-03-2012

Hi,

I found this post very helpful! 🙂

I have a small question about it. Is there a way how to store the exported file in a different folder? Eg. in /tmp/ ?

Thanks a lot!

vkakani60 · ‎09-08-2016

NO...! You can't export the |outputcsv to /tmp/ or some other folder, according to the |outputcsv doc

the file will save $SPLUNK_HOME/var/run/*.csv ,
example directory
C:\Program Files\Splunk\var\run\splunk\csv

Export results to .txt

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...