index=bigdata | dump basefilename=MyExport
How does this command know the path to save, and how do I change the path to save, such as the desktop or somewhere else?
Based on the docs here - https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Dump
It gets saved to the dump directory of the search ($SPLUNK_HOME/var/run/splunk/dispatch/{SID}/dump/ ). To find the SID you can look at the end of your url (it will say something like this sid=1480626241.4257) or in the search job inspector.
Using the sid example above you would navigate to
$SPLUNK_HOME/var/run/splunk/dispatch/480626241.4257/dump
to find the file.
You can specify a directory appended to this by setting a _dstpath variable
|eval _dstpath=yourdirname
but note this appends to the dump location and is not used to specify just anywhere on disk.
You can see where it is written after the command is run as the results will display the rolledfile location.
how to write _dstpath if i want to save to this location "C:\Users\nagarjuna reddy\Desktop"
eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + C:\\Users\\nagarjuna reddy\\Desktop | dump basefilename=MyExport
is this the way?
You won't be able, as my Answer stated
but note this appends to the dump
location and is not used to specify
just anywhere on disk
The _dstpath only appends to the search's dump directory.
Notice another post regarding this - https://answers.splunk.com/answers/306301/how-can-i-identify-the-full-path-to-the-output-fil.html