Splunk Search

export results to csv

Contributor

What's the easiest way to export Splunk search results to a CSV file that I can open in Excel?

1 Solution

Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

New Member

Append "| sort Sourcetype | outputcsv output.csv" to your search.

After the query runs, you should be able to go to $SPLUNK_HOME/ var/run/splunk/csv directory and see output.csv

0 Karma

Communicator

Today I had the Problem that a User wanted to export a CSV with over 13 million lines.
He let the Search run in the background and it took over a day to complete.
Now he could not export his results and I did not want to run the search again with outputcsv.

The solution I came up with was to look on the search head and find the result file for the search:
/opt/splunk/var/run/splunk/dispatch//results.csv.gz

I hope this helps everybody who has the same issue.

Splunk Employee
Splunk Employee

Splunk Employee
Splunk Employee

What version of Splunk are you running?

0 Karma

Splunk Employee
Splunk Employee

Alternatively, try the outputcsv command like this:

splunk > my super cool search | outputcsv mycsvfilename

Motivator

you could have a look in splunkbase at the TA-XLS which allows in version 0.1 to convert the .csv generated by outputcsv to a Excelsheet and sendfile for sending it as a email attachment. The new version 0.2 has a outputcsv command that directly generates a .xls and allows for sending it via email. (i have trouble uploading the new version right now but in a day or so it should be there).

0 Karma

New Member

I have been trying to export my search query's result to a csv file using 'outputcsv'. But no file is getting created. Not getting any error too.

Here is my search query:

| outputcsv trial.csv

Please help.

Are any settings required to be done to get the CSV output.

0 Karma

Communicator

This worked well. Myself and a user that could not export a csv files to our desktop. This dropped the file in our pool/var/run/splunk directory. AND the export link worked with this search. (v 4.3.4) I wonder if the initial problem is becauser our pooled search heads are behind a load balancer. . . ?

0 Karma

Splunk Employee
Splunk Employee

If there are fewer than 10,000 lines to export, then "Actions>Export Results..." from the Search or Charting views, after a search has finished running. The menu item is not available on most other dashboards or views.

I think that the "Action" menu is nearly invisible, so lots of people miss it.

View solution in original post

Communicator

I could not find the "Action" menu in version 4.3.4. There is an "-> Export" link just above list of matching events, though.

0 Karma

Engager

+1 for 'I think that the "Action" menu is nearly invisible, so lots of people miss it.'!

Contributor

Both of these are good answers, but this one matches more closely what I was trying to do. thanks!