I'm trying to automate saving search results for use with other programs. I'm not a Splunk admin, but I want to be able to save my search results on a Windows network share for me to access. The Splunk search head (SH) is on Linux.
Search results are saved on the Linux SH at /opt/splunk/etc/apps/search/lookups/awproxy_data.csv
via " | outputlookup awproxy_data.csv" to save this file.
Can I use the "Edit Schedule" option to configure the search to run a script where it can copy this file from the Splunk linux sh to a network share drive, provided the Linux box can communicate with the Windows drive? If so, how can this be scripted? I'm assuming I need an admin to save the script to $SPLUNK_HOME/bin/scripts or $SPLUNK_HOME/etc/search/bin/scripts as the UI noted.
Are there any other options where I don't need to involve a Splunk admin, besides emailing my search results?
Any help is appreciated. Thanks!
Trista
I once created such a facility using a cron job that ran every hour on the Linux-based search head that did ls $SPLUNK_HOME/etc/apps/*/lookups/CopyMeToShare_*.csv
and moved each file that matched to the crossmounted NFS share drive and changed the name by removing the CopyMeToShare_
prefix.
In this manner, you just tell people to name there files with the prefix and wait up to an hour for the magic to happen after calling ... | outputcsv CopyMeToShare_MyRealFileName.csv
Thanks @woodcock!
We are working on the authentication portion in order to copy the file from the SH to to NFS share. Do you have an example of what was scripted in the cron job?
It was just simple glue scripting, probably bash or perl. It is maybe 5 lines of work, but I do not have a copy. The key is the prefix.