Splunk Search
Highlighted

Export results to .txt

Explorer

Hi,

I was wondering if it's possible to export search and table results in a txt file ? (with a script, a command, ...)

I've seen that was possible to export in json, xml and csv, but not in a txt file.

Thanks

Highlighted

Re: Export results to .txt

Splunk Employee
Splunk Employee

There are a few ways to do it.

From the GUI, you should also see a "Raw Events" as an export option along with json, xml, and csv.

From the search language, there are several ways to do it as well. Here is one example that will export to a text file, $SPLUNK_HOME/var/run/splunk/results.txt

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

View solution in original post

Highlighted

Re: Export results to .txt

Path Finder

Hi,

I found this post very helpful! 🙂

I have a small question about it. Is there a way how to store the exported file in a different folder? Eg. in /tmp/ ?

Thanks a lot!

0 Karma
Highlighted

Re: Export results to .txt

Path Finder

NO...! You can't export the |outputcsv to /tmp/ or some other folder, according to the |outputcsv doc

the file will save $SPLUNK_HOME/var/run/*.csv ,
example directory
C:\Program Files\Splunk\var\run\splunk\csv

0 Karma
Highlighted

Re: Export results to .txt

Explorer

+2 for you, works like a champ. Thanks!

0 Karma
Highlighted

Re: Export results to .txt

Path Finder

But even if you mention results.txt the output would result.txt.csv. I faced the same situation.
The output of the|outputcsv is always .csv ?

0 Karma
Highlighted

Re: Export results to .txt

Explorer

Works perfectly, great !

Thank you very much

0 Karma
Highlighted

Re: Export results to .txt

Explorer

I have another question 🙂

Everytime i do that command, a new "results.txt" is created, witch replace (and erase) the last "results.txt". Is it possible to write at the end of this file ?

When i start this search, i'd like the results be added at the end of the file, to have a bigger and bigger file everytime i start the search.

Regards

0 Karma
Highlighted

Re: Export results to .txt

Splunk Employee
Splunk Employee

outputcsv doesn't currently support an append. So we use it as an input, add a search to it, and the write the results out again...

|inputcsv results.txt | append [search * | head 10 | outputtext usexml=false | rename _xml as raw | fields raw | fields - _* ] | outputcsv results.txt

0 Karma
Highlighted

Re: Export results to .txt

Splunk Employee
Splunk Employee

The above comment should have a '_' prefix before the xml and the asterik but were used to italicize the text between

0 Karma