- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to export search results into a text file using search
Hi,
I am exploring some options for exporting data into text file from Splunk. I have a scheduled saved search which produces results like below in statistical table format. I need this to be written to a .txt file. Results written need to be appended to existing txt file.
count index sourcetype time results
0 A B 04/05/2022 00:00:00 Success exceeds Failures
Thanks in-advance!!!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d02c8/d02c884d8b9721445f10572fd724ddd6caaa8cde" alt="mayurr98 mayurr98"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried but thats for raw. I tried using it for stats table and it did not generate anything in specified directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d02c8/d02c884d8b9721445f10572fd724ddd6caaa8cde" alt="mayurr98 mayurr98"
you would need to format the output
<your search>
| table count index sourcetype time results
| eval _raw = mvzip(mvzip(mvzip(mvzip(count, index, " "), sourcetype, " "),time, " "),results, " ")
| outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv append=t results.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick Q. The file frim savedsearch will be written on SH correct? We have SH cluster. Also, can path be defined at SPL level? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/d02c8/d02c884d8b9721445f10572fd724ddd6caaa8cde" alt="mayurr98 mayurr98"
I do not think you can change the path explicitly in SPL
however, you can write cron jobs to move the file on OS level.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood. Testing it for output. Will update shortly. Thank you.
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""