Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Export data using Splunk Web

You can export the event data from a search, report, or pivot job to various formats. You can then archive the file, or use the file with a third-party charting application.

  1. After you run a search, report, or pivot, click the Export button. The Export button is one of the Search action buttons.
  2. This screen image shows the Export button. The button shows an arrow pointing down with a horizontal line under the arrow. The Export button appears on the right side of the screen, immediately to the right of the Print button.

    If the button is not visible, the button has been hidden by your system administrator to prevent data export.

    This screen image shows the Export Results dialog box. The choices in the dialog box are Format, File Name, and Number of Results.

    Sometimes your search must be run again before the results can be exported. See When exporting triggers your search to run again.

  3. Click Format and select the format that you want the search results to be exported in.
  4. The supported formats depend on the type of job artifact that you are working with.
    Format Ad hoc searches Saved searches Notes
    CSV X X
    JSON X X
    PDF X If the search is a saved search, such as a Report, you can export using the PDF format.
    Raw Events X X If the search generates calculated data that appears on the Statistics tab, you cannot export using the Raw Events format.
    XML X X
  5. Optional. In the File Name field, you can type a name for the export file where the event data will be stored.
  6. If you do not specify a file name, a file is created using the search job ID as the file name. The search job ID is the UNIX time when the search was run. For example 1463687468_7.csv.
  7. Optional. In the Number of Results field, you can specify the number of results that you want to export. If you do not specify a number, all of the events are exported.
  8. For example, if you specify 500 in the Number of Results field, only the first 500 results returned from your search are exported.
  9. Click Export to save the job events in the export file.
  10. The file is saved in the default download directory for your browser or operating system. For example, for most Windows and Mac OS X users the export file appears in the default Downloads directory. On Linux, check the XDG configuration file for the download directory.

When exporting triggers your search to run again

If your search returns a large number of results, it is possible that not all of the results will be stored with the search job artifact.

When you export search results, the export process is based on the search job artifact, not the results in the Search app. If the artifact does not contain the full set of results, a message appears at the bottom of the Export Results dialog box to tell you that the search will be rerun by the Splunk software before the results are exported.

The search is rerun when the search head believes that it cannot retrieve all of the events from the job artifact. The search head determines when to rerun the search based on the following logic:

  • If the search is not a report, and one of the following is true.
    • The search is not done
    • The search is using a remote timeline
    • The search head believes that the search has not retained all of events

Extend the session timeout when exporting large amounts of data

When you export large amounts of data using the Export button, the session might timeout before the export is complete. You can extend the session timeout limit.

  1. Click Settings > Server Settings > General Settings.
  2. In the Splunk Web section, increase the number in the Session timeout field.
  3. Click Save.

Increase the timeout setting to allow more time for the connection between your browser and Splunk Web.

Forward data to third-party systems

You can forward the data that you export to third-party systems.

Use reports to send results to stakeholders

You can schedule reports to run on a regular interval and send the results to project stakeholders by email. The emails can present the report results in tables in the email, and as CSV or PDF attachments. The emails can also include links to the report results in Splunk Enterprise. See Schedule Reports in the Reporting Manual.

PREVIOUS
Export search results
  NEXT
Export data using the CLI

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters