Splunk Search

How do I pipe splunk query output to a file?

Alan_Bradley
Path Finder

How do I take output (say . . . "View Sources") and pipe it to a file?

Tags (2)
1 Solution

matt
Splunk Employee
Splunk Employee

You have couple of options. The basic is simply using redirect to file, you can also use the -format flag.

./splunk search '*' -format csv > file-name

Valid types are: custom, normal, xml, csv, table You can also use one of the output search commands:
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputcsv
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputraw
and the other outputtxt outputxml

Or the export option from the GUI or CLI: http://www.splunk.com/base/Documentation/3.4.9/Admin/ExportEventData

View solution in original post

mIliofotou_splu
Splunk Employee
Splunk Employee

For Splunk 6.4.x:
Here is a list of different option for exporting to a file from the CLI

$SPLUNK_HOME/bin/splunk search 'index=main' -output table > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main | head' -output raw > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main | head' -output rawdata > tofile.txt
$SPLUNK_HOME/bin/splunk search '*' -output csv > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json > tofile.txt

The default behavior of the CLI search is to export first 100. Use the -maxout 0 option to bypass that limit.


$SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json -maxout 0 > tofile.txt

If you don't specify an output option, the default is to only export _raw.

0 Karma

matt
Splunk Employee
Splunk Employee

You have couple of options. The basic is simply using redirect to file, you can also use the -format flag.

./splunk search '*' -format csv > file-name

Valid types are: custom, normal, xml, csv, table You can also use one of the output search commands:
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputcsv
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputraw
and the other outputtxt outputxml

Or the export option from the GUI or CLI: http://www.splunk.com/base/Documentation/3.4.9/Admin/ExportEventData

barakreeves
Splunk Employee
Splunk Employee

Here is the updated syntax and related doco link:
/splunk search "index=_* audit" -output 'csv' > /var/share/splunk_output/20140724-audit.csv

doco link: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/CLIsearchsyntax

jameshfisher
New Member

Doesn't work. WARN: The following arguments were unknown or had no effect: 'format'

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...