Splunk Search

export results to csv

Justin_Grant
Contributor

What's the easiest way to export Splunk search results to a CSV file that I can open in Excel?

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

bergen288
Engager

Where is the default location of CSV output file defined in search string on Windows Server 2016?

0 Karma

kalmira
New Member

Append "| sort Sourcetype | outputcsv output.csv" to your search.

After the query runs, you should be able to go to $SPLUNK_HOME/ var/run/splunk/csv directory and see output.csv

0 Karma

peter_krammer
Communicator

Today I had the Problem that a User wanted to export a CSV with over 13 million lines.
He let the Search run in the background and it took over a day to complete.
Now he could not export his results and I did not want to run the search again with outputcsv.

The solution I came up with was to look on the search head and find the result file for the search:
/opt/splunk/var/run/splunk/dispatch//results.csv.gz

I hope this helps everybody who has the same issue.

Dan
Splunk Employee
Splunk Employee

gkanapathy
Splunk Employee
Splunk Employee

What version of Splunk are you running?

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Alternatively, try the outputcsv command like this:

splunk > my super cool search | outputcsv mycsvfilename

dominiquevocat
SplunkTrust
SplunkTrust

you could have a look in splunkbase at the TA-XLS which allows in version 0.1 to convert the .csv generated by outputcsv to a Excelsheet and sendfile for sending it as a email attachment. The new version 0.2 has a outputcsv command that directly generates a .xls and allows for sending it via email. (i have trouble uploading the new version right now but in a day or so it should be there).

0 Karma

poojag
New Member

I have been trying to export my search query's result to a csv file using 'outputcsv'. But no file is getting created. Not getting any error too.

Here is my search query:

| outputcsv trial.csv

Please help.

Are any settings required to be done to get the CSV output.

0 Karma

I_am_Jeff
Communicator

This worked well. Myself and a user that could not export a csv files to our desktop. This dropped the file in our pool/var/run/splunk directory. AND the export link worked with this search. (v 4.3.4) I wonder if the initial problem is becauser our pooled search heads are behind a load balancer. . . ?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

I_am_Jeff
Communicator

I could not find the "Action" menu in version 4.3.4. There is an "-> Export" link just above list of matching events, though.

0 Karma

pkaeding
Engager

+1 for 'I think that the "Action" menu is nearly invisible, so lots of people miss it.'!

Justin_Grant
Contributor

Both of these are good answers, but this one matches more closely what I was trying to do. thanks!

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...