Export event data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Export event data
You can use the export command to selectively copy or archive events from Splunk's indexes. The export command does not remove any data -- it just makes a copy. Since the export command runs on active index files, you must first stop Splunk.
Export from the CLI
To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
The command is:
# splunk export eventdata main -dir /copydir [optional search expression]
This command copies all events from the main index to the directory /copydir. The events are placed in a directory structure similar to $SPLUNK_DB.
{export-dir}/{path to splunk install}/var/spool/splunk/{source name...}.
For example,
/copydir/opt/splunk31/splunk/var/spool/splunk/sourcefile.log
Search terms can be added to the command to select a subset of data. For example,
$SPLUNK_HOME/bin/splunk export eventdata main -dir /copydir host::twinkie
Export from the GUI
To use Splunk's GUI, run your search and select Export from the search menu
Select the format of the results (txt or CSV) and and the number of events that should be exported.
This documentation applies to the following versions of Splunk: 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.