Related Answers
Download topic as PDF
Export search results overview
This topic tells you how to export search results and forward data to third-party systems.
What are the available export methods?
You can export data using the following methods:
- Splunk Web
- The command line interface (CLI) (not available to Splunk Cloud subscribers)
- Splunk Software Development Kits (SDK)
- Representational State Transfer (REST)
- The dump command
- Forward data to 3rd party systems
Splunk apps
- Deploy and Use Splunk App for CEF
- Deploy and Use Splunk DB Connect
- Hadoop Connect
- Install and Use Splunk ODBC Driver with Microsoft Excel
- Install and Use Splunk ODBC Driver with MicroStrategy
- Install and Use Splunk ODBC Driver with Tableau
Export options
The export method you choose depends on the data volumes involved and your level of interactivity. For example, a single on-demand search export through Splunk Web might be appropriate for a low-volume export. Alternatively, if you want to set up a higher-volume, scheduled export, the SDK and REST options work best.
For large exports, the most stable method of search data retrieval is the Command Line Interface (CLI). From the CLI, you can tailor your search to external applications using the various Splunk SDKs. The REST API works from the CLI as well, but is recommended only for internal use.
In terms of level of expertise, the Splunk Web and CLI methods are significantly more accessible than the SDKs and REST API, which require previous experience working with software development kits or REST API endpoints.
| Method | Volume | Interactivity | Remarks |
|---|---|---|---|
| Splunk Web | Low | On-Demand, Interactive | Easy to obtain on-demand exports |
| CLI | Medium | On-Demand, Low Interactive | Easy to obtain on-demand exports |
| REST | High | Automated, best for computer-to-computer | Works underneath SDK |
| SDK | High | Automated, best for computer-to-computer | Best for automation |
Supported export formats
You can export your data to the following formats:
- Raw Events
- CSV
- JSON
- XML
|
PREVIOUS Scheduling searches |
NEXT Export data using Splunk Web |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!