Export event data

Export event data

Use the export CLI command to copy or archive events from Splunk's indexes. The export command does not remove any data -- it just makes a copy.

Important: Because the export command runs on active index files, you may lose data unless you stop Splunk before using it. You can run this command while Splunk is running, however.

via the CLI

Note: To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and preface CLI commands with ./splunk.

At minimum, specify an index from which to export data and a directory to copy the exported data into:

./splunk export eventdata <index> -dir <directory to copy into>

Optionally add search restrictions with -host, -source, -sourcetype or -terms:

./splunk export eventdata <index> -dir <directory to copy into> -host <host> -sourcetype <sourcetype> -source <source> -terms <search terms

The exported data is recreated in directories and files matching the original sources in the destination directory.

For example:

./splunk export eventdata my_apache_data index -dir /tmp/apache_raw_404_logs -host localhost -terms "404 html"

Export to CSV

You can export search results to CSV with the following commands.

To export the results of a search:

./splunk search '<search criteria>' -maxresults 200 -format csv >/splunk/export.csv 

To export the results of a dispatched search:

 ./splunk dispatch '<search criteria>' -maxout 200 -format csv >/splunk/export.csv 

Note: Type: ./splunk help export to see all of the export command's available arguments and parameters.

via Splunk Web

To export data via Splunk Web, run your search and choose Export from the drop-down menu to the left of the search box.

Select the format of the results (txt or CSV) and and the number of events that should be exported.

• Was this topic useful?
• Post a comment