Solved: Re: export results to csv

Justin_Grant · ‎03-25-2010

What's the easiest way to export Splunk search results to a CSV file that I can open in Excel?

gkanapathy · ‎03-25-2010

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

bergen288 · ‎10-29-2021

Where is the default location of CSV output file defined in search string on Windows Server 2016?

kalmira · ‎02-07-2017

Append "| sort Sourcetype | outputcsv output.csv" to your search.

After the query runs, you should be able to go to $SPLUNK_HOME/ var/run/splunk/csv directory and see output.csv

peter_krammer · ‎09-10-2015

Today I had the Problem that a User wanted to export a CSV with over 13 million lines.
He let the Search run in the background and it took over a day to complete.
Now he could not export his results and I did not want to run the search again with outputcsv.

The solution I came up with was to look on the search head and find the result file for the search:
/opt/splunk/var/run/splunk/dispatch//results.csv.gz

I hope this helps everybody who has the same issue.

Dan · ‎04-21-2010

This is also discussed here: http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events/

gkanapathy · ‎04-21-2010

What version of Splunk are you running?

hulahoop · ‎03-25-2010

Alternatively, try the outputcsv command like this:

splunk > my super cool search | outputcsv mycsvfilename

dominiquevocat · ‎01-13-2016

you could have a look in splunkbase at the TA-XLS which allows in version 0.1 to convert the .csv generated by outputcsv to a Excelsheet and sendfile for sending it as a email attachment. The new version 0.2 has a outputcsv command that directly generates a .xls and allows for sending it via email. (i have trouble uploading the new version right now but in a day or so it should be there).

poojag · ‎03-17-2015

I have been trying to export my search query's result to a csv file using 'outputcsv'. But no file is getting created. Not getting any error too.

Here is my search query:

| outputcsv trial.csv

Please help.

Are any settings required to be done to get the CSV output.

I_am_Jeff · ‎03-19-2013

This worked well. Myself and a user that could not export a csv files to our desktop. This dropped the file in our pool/var/run/splunk directory. AND the export link worked with this search. (v 4.3.4) I wonder if the initial problem is becauser our pooled search heads are behind a load balancer. . . ?

gkanapathy · ‎03-25-2010

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

I_am_Jeff · ‎03-19-2013

I could not find the "Action" menu in version 4.3.4. There is an "-> Export" link just above list of matching events, though.

pkaeding · ‎04-10-2012

+1 for 'I think that the "Action" menu is nearly invisible, so lots of people miss it.'!

Justin_Grant · ‎03-26-2010

Both of these are good answers, but this one matches more closely what I was trying to do. thanks!

export results to csv

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)