Reporting

Unable to filter CLI export

emiller42
Motivator

Hello!

I'm trying to export a subset of logs indexed on one indexer, and then import them into another. I'm attempting to use the cli export tool to do this, and am running into issues.

If I run the following:

./splunk export eventdata -index main -dir /tmp/export

then I get a successful export of everything that has been indexed by the server. Unfortunately, this is far more data than I actually want to export. To try and narrow it down, I'm using further export flags, but they don't appear to be working at all. I'm trying to get a specific set of log files from specific hosts.

Using commands like the following:

./splunk export eventdata -index main -dir /tmp/export -host HOSTNAME

./splunk export eventdata -index main -dir /tmp/export -source LOGFILEPATH

I simply get nothing exported. I've verified that the host name and logfile info is correct, so I'm at a loss as to what is causing it to return nothing. I am assuming that the -host flag is used to denote the forwarder that the logs originated from, and that the -source is the full path of the logfile. (Ex: 'D:\apache-tomcat-6.0.32\bin\server.log'. I have tried it both escaped and not)

Has anyone else run into this issue?

Thanks!

Tags (2)
1 Solution

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

View solution in original post

0 Karma

xli_splunk
Splunk Employee
Splunk Employee

I tested following commands with 4.3.3 release and both work fine:
splunk export eventdata -index main -dir /temp/events.out -source 'C:\work\test\test.log'
splunk export eventdata -index main -dir /temp/raven -host 'raven-PC'

0 Karma

alexiri
Communicator

Yeah, I'm seeing this as well on version 2.4.3. It turns out this is a known issue (SPL-45694) and it's currently being investigated.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...