Splunk Search
Highlighted

How do I pipe splunk query output to a file?

Path Finder

How do I take output (say . . . "View Sources") and pipe it to a file?

Tags (2)
Highlighted

Re: How do I pipe splunk query output to a file?

Contributor

You have couple of options. The basic is simply using redirect to file, you can also use the -format flag.

./splunk search '*' -format csv > file-name

Valid types are: custom, normal, xml, csv, table You can also use one of the output search commands:
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputcsv
http://www.splunk.com/base/Documentation/3.4.9/User/UnsupportedSearchCommands#outputraw
and the other outputtxt outputxml

Or the export option from the GUI or CLI: http://www.splunk.com/base/Documentation/3.4.9/Admin/ExportEventData

View solution in original post

Highlighted

Re: How do I pipe splunk query output to a file?

New Member

Doesn't work. WARN: The following arguments were unknown or had no effect: 'format'

0 Karma
Highlighted

Re: How do I pipe splunk query output to a file?

Communicator

Here is the updated syntax and related doco link:
/splunk search "index=* audit" -output 'csv' > /var/share/splunkoutput/20140724-audit.csv

doco link: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/CLIsearchsyntax

Highlighted

Re: How do I pipe splunk query output to a file?

Path Finder

For Splunk 6.4.x:
Here is a list of different option for exporting to a file from the CLI

$SPLUNK_HOME/bin/splunk search 'index=main' -output table > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main | head' -output raw > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main | head' -output rawdata > tofile.txt
$SPLUNK_HOME/bin/splunk search '*' -output csv > tofile.txt
$SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json > tofile.txt

The default behavior of the CLI search is to export first 100. Use the -maxout 0 option to bypass that limit.


$SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json -maxout 0 > tofile.txt

If you don't specify an output option, the default is to only export _raw.

0 Karma