Splunk Search

export results to csv

Contributor

What's the easiest way to export Splunk search results to a CSV file that I can open in Excel?

1 Solution

Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

New Member

Append "| sort Sourcetype | outputcsv output.csv" to your search.

After the query runs, you should be able to go to $SPLUNK_HOME/ var/run/splunk/csv directory and see output.csv

0 Karma

Communicator

Today I had the Problem that a User wanted to export a CSV with over 13 million lines.
He let the Search run in the background and it took over a day to complete.
Now he could not export his results and I did not want to run the search again with outputcsv.

The solution I came up with was to look on the search head and find the result file for the search:
/opt/splunk/var/run/splunk/dispatch//results.csv.gz

I hope this helps everybody who has the same issue.

Splunk Employee
Splunk Employee

Splunk Employee
Splunk Employee

What version of Splunk are you running?

0 Karma

Splunk Employee
Splunk Employee

Alternatively, try the outputcsv command like this:

splunk > my super cool search | outputcsv mycsvfilename

Motivator

you could have a look in splunkbase at the TA-XLS which allows in version 0.1 to convert the .csv generated by outputcsv to a Excelsheet and sendfile for sending it as a email attachment. The new version 0.2 has a outputcsv command that directly generates a .xls and allows for sending it via email. (i have trouble uploading the new version right now but in a day or so it should be there).

0 Karma

New Member

I have been trying to export my search query's result to a csv file using 'outputcsv'. But no file is getting created. Not getting any error too.

Here is my search query:

| outputcsv trial.csv

Please help.

Are any settings required to be done to get the CSV output.

0 Karma

Communicator

This worked well. Myself and a user that could not export a csv files to our desktop. This dropped the file in our pool/var/run/splunk directory. AND the export link worked with this search. (v 4.3.4) I wonder if the initial problem is becauser our pooled search heads are behind a load balancer. . . ?

0 Karma

Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

Communicator

I could not find the "Action" menu in version 4.3.4. There is an "-> Export" link just above list of matching events, though.

0 Karma

Engager

+1 for 'I think that the "Action" menu is nearly invisible, so lots of people miss it.'!

Contributor

Both of these are good answers, but this one matches more closely what I was trying to do. thanks!

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!