Splunk Search

How to export search results into a text file using search

mbasharat
Builder

Hi,

I am exploring some options for exporting data into text file from Splunk. I have a scheduled saved search which produces results like below in statistical table format. I need this to be written to a .txt file. Results written need to be appended to existing txt file.

 

count      index      sourcetype                      time                                               results 

0                   A                      B               04/05/2022 00:00:00         Success exceeds Failures 

 

Thanks in-advance!!!!!!

Labels (4)
0 Karma

mayurr98
Super Champion
0 Karma

mbasharat
Builder

I tried but thats for raw. I tried using it for stats table and it did not generate anything in specified directory.

0 Karma

mayurr98
Super Champion

you would need to format the output

<your search>
| table count index sourcetype time results 
| eval _raw = mvzip(mvzip(mvzip(mvzip(count, index, " "), sourcetype, " "),time, " "),results, " ")
| outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv append=t results.txt
0 Karma

mbasharat
Builder

Quick Q. The file frim savedsearch will be written on SH correct? We have SH cluster. Also, can path be defined at SPL level? Thanks.

0 Karma

mayurr98
Super Champion

I do not think you can change the path explicitly in SPL

https://community.splunk.com/t5/Getting-Data-In/How-to-change-the-location-a-saved-search-outputs-a-...

 

however, you can write cron jobs to move the file on OS level.

0 Karma

mbasharat
Builder

Understood. Testing it for output. Will update shortly. Thank you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...