Related Answers
Download topic as PDF
dump
The dump command is an internal, unsupported, experimental command. See
About internal commands.
Description
For Splunk Enterprise deployments, export search results to a set of chunk files on local disk. For information about other export methods, see Export search results in the Search Manual.
Syntax
dump basefilename=<string> [rollsize=<number>] [compress=<number>] [format=<string>] [fields=<comma-delimited-string>]
Required arguments
- basefilename
- Syntax: basefilename=<string>
- Description: The prefix of the export filename.
Optional arguments
- compress
- Syntax: compress=<number>
- Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
- Default: 2
- fields
- Syntax: fields=<comma-delimited-string>
- Description: A list of the fields to be exported. The entire list must be enclosed in quotation marks. Invalid field names are ignored.
- format
- Syntax: format= raw | csv | tsv | json | xml
- Description: The output data format.
- Default: raw
- rollsize
- Syntax: rollsize=<number>
- Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
- Default: 63 MB
Usage
This command exports events to a set of chunk files on local disk at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump". This command recognizes a special field in the input events, _dstpath, which if set is used as a path to be appended to the dst directory to compute the final destination path.
The dump command preserves the order of events as the events are received by the command.
Examples
Example 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/" directory on local disk with "MyExport" as the prefix of export filenames. Partitioning of the export data is achieved by eval preceeding the dump command.
index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport
Example 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.
index=bigdata | dump basefilename=MyExport
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dump command.
|
PREVIOUS collapse |
NEXT findkeywords |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
Feedback submitted, thanks!