Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does the search "index=bigdata | dump basefilename=MyExport" know the path to save this to, and how can I change this path?

nagarjuna280
Communicator
‎12-01-2016 12:42 PM 
index=bigdata | dump basefilename=MyExport

How does this command know the path to save, and how do I change the path to save, such as the desktop or somewhere else?

0 Karma
Reply

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:19 PM

Based on the docs here - https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Dump

It gets saved to the dump directory of the search ($SPLUNK_HOME/var/run/splunk/dispatch/{SID}/dump/ ). To find the SID you can look at the end of your url (it will say something like this sid=1480626241.4257) or in the search job inspector.

Using the sid example above you would navigate to 

$SPLUNK_HOME/var/run/splunk/dispatch/480626241.4257/dump

to find the file.
You can specify a directory appended to this by setting a _dstpath variable

|eval _dstpath=yourdirname

but note this appends to the dump location and is not used to specify just anywhere on disk.

You can see where it is written after the command is run as the results will display the rolledfile location.

Reply

nagarjuna280
Communicator
‎12-01-2016 01:37 PM

how to write _dstpath if i want to save to this location "C:\Users\nagarjuna reddy\Desktop" 

eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + C:\\Users\\nagarjuna reddy\\Desktop | dump basefilename=MyExport

is this the way?

0 Karma
Reply

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:39 PM

You won't be able, as my Answer stated

but note this appends to the dump
location and is not used to specify
just anywhere on disk

The _dstpath only appends to the search's dump directory.

Notice another post regarding this - https://answers.splunk.com/answers/306301/how-can-i-identify-the-full-path-to-the-output-fil.html

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...