dump

Synopsis

Executes a given search query and export events to a set of chunk files on local disk.

Syntax

dump basefilename=<string> [rollsize=<number>] [compress=<number>] [format=<string>] [fields=<comma-delimited-string>]

Required arguments

basefilename

Syntax: basefilename=<string>

Description: The prefix of the export filename.

Optional arguments

compress

Syntax: compress=<number>

Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed. Defaults to 2.

fields

Syntax: fields=<comma-delimited-string>

Description: A list of Splunk event fields exported to export data. Invalid fields will be ignored.

format

Syntax: format= raw | csv | tsv | json | xml

Description: The output data format.

rollsize

Syntax: rollsize=<number>

Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer. Defaults to 64MB.

Description

This command runs a specified search query and oneshot export search result to local disk at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump". It recognizes a special field in the input events, _dstpath, which if set will be used as a path to be appended to dst to compute final destination path.

Examples

Example 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/" directory on local disk with "MyExport" as the prefix of export filenames. Partitioning of the export data is achieved by eval preceeding the dump command.

index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport

Example 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.

index=bigdata | dump basefilename=MyExport

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dump command.