Aha! After reading docs, tutorials, and having a heck of a time getting my Universal Forwarder connected, this was the answer. Thanks Martin! ... View more

For Splunk 6.4.x: Here is a list of different option for exporting to a file from the CLI $SPLUNK_HOME/bin/splunk search 'index=main' -output table > tofile.txt $SPLUNK_HOME/bin/splunk search 'index=main | head' -output raw > tofile.txt $SPLUNK_HOME/bin/splunk search 'index=main | head' -output rawdata > tofile.txt $SPLUNK_HOME/bin/splunk search '*' -output csv > tofile.txt $SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json > tofile.txt The default behavior of the CLI search is to export first 100. Use the -maxout 0 option to bypass that limit. $SPLUNK_HOME/bin/splunk search 'index=main id=abs*' -output json -maxout 0 > tofile.txt If you don't specify an output option, the default is to only export _raw . ... View more