Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Saving search results on a network share (Linux SH to Windows network share drive)

tmaltizo
Path Finder
‎04-24-2017 06:39 AM

I'm trying to automate saving search results for use with other programs. I'm not a Splunk admin, but I want to be able to save my search results on a Windows network share for me to access. The Splunk search head (SH) is on Linux.

Search results are saved on the Linux SH at /opt/splunk/etc/apps/search/lookups/awproxy_data.csv
via " | outputlookup awproxy_data.csv" to save this file.

Can I use the "Edit Schedule" option to configure the search to run a script where it can copy this file from the Splunk linux sh to a network share drive, provided the Linux box can communicate with the Windows drive? If so, how can this be scripted? I'm assuming I need an admin to save the script to $SPLUNK_HOME/bin/scripts or $SPLUNK_HOME/etc/search/bin/scripts as the UI noted.

Are there any other options where I don't need to involve a Splunk admin, besides emailing my search results?

Any help is appreciated. Thanks!
Trista

0 Karma
Reply

woodcock
Esteemed Legend
‎04-24-2017 08:54 AM

I once created such a facility using a cron job that ran every hour on the Linux-based search head that did ls $SPLUNK_HOME/etc/apps/*/lookups/CopyMeToShare_*.csv and moved each file that matched to the crossmounted NFS share drive and changed the name by removing the CopyMeToShare_ prefix.

In this manner, you just tell people to name there files with the prefix and wait up to an hour for the magic to happen after calling ... | outputcsv CopyMeToShare_MyRealFileName.csv

0 Karma
Reply

tmaltizo
Path Finder
‎04-24-2017 10:50 AM

Thanks @woodcock!
We are working on the authentication portion in order to copy the file from the SH to to NFS share. Do you have an example of what was scripted in the cron job?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-24-2017 11:19 AM

It was just simple glue scripting, probably bash or perl. It is maybe 5 lines of work, but I do not have a copy. The key is the prefix.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...