- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I was wondering if it's possible to export search and table results in a txt file ? (with a script, a command, ...)
I've seen that was possible to export in json, xml and csv, but not in a txt file.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
There are a few ways to do it.
From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv.
From the search language, there are several ways to do it as well. Here is one example that will export to a text file, $SPLUNK_HOME/var/run/splunk/results.txt
outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your quick answer, but the second command you wrote doesn't work. In fact, it works better than your first command, but the results are not appended to the existing results.txt. Splunk keeps creating a new "results.txt" witch contains the results of the last search, results are not added in the existing file.
Here's what i wrote:
inputcsv results.txt | append [search source="access_combined" | outputtext usexml=false | rename _xml as raw | fields raw | fields - _* ] | outputcsv results.txt
Have you an idea ?
Extra : I have a second problem, the search can't finalize because "subsearch auto-finalized after time limit (30 seconds) reached". I search how to disable this but i can't find anything !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your help! Now it works really well (thanks to your last answer)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
You can prepend instead of append to eliminate the subsearch. NB: In below text, due to comment formatting, replace the two instances of ~ with a _
source="access_combined" | head 10 | outputtext usexml=false | rename ~xml as raw | fields raw | fields - ~* | append [|inputcsv results.txt ] | outputcsv results.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have another question 🙂
Everytime i do that command, a new "results.txt" is created, witch replace (and erase) the last "results.txt". Is it possible to write at the end of this file ?
When i start this search, i'd like the results be added at the end of the file, to have a bigger and bigger file everytime i start the search.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| outputcsv append=true
create_empty=false results
here the search results will be saved in resutls.csv under $SPLUNK_HOME/var/run/*.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
The above comment should have a '_' prefix before the xml and the asterik but were used to italicize the text between
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
outputcsv doesn't currently support an append. So we use it as an input, add a search to it, and the write the results out again...
|inputcsv results.txt | append [search * | head 10 | outputtext usexml=false | rename _xml as raw | fields raw | fields - _* ] | outputcsv results.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works perfectly, great !
Thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
There are a few ways to do it.
From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv.
From the search language, there are several ways to do it as well. Here is one example that will export to a text file, $SPLUNK_HOME/var/run/splunk/results.txt
outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But even if you mention results.txt the output would result.txt.csv. I faced the same situation.
The output of the|outputcsv is always .csv ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+2 for you, works like a champ. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found this post very helpful! 🙂
I have a small question about it. Is there a way how to store the exported file in a different folder? Eg. in /tmp/ ?
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO...! You can't export the |outputcsv
to /tmp/
or some other folder, according to the |outputcsv doc
the file will save $SPLUNK_HOME/var/run/*.csv
,
example directory
C:\Program Files\Splunk\var\run\splunk\csv
data:image/s3,"s3://crabby-images/1a552/1a552ff33d37f94e7c5bc13132edaa973c529815" alt=""