Splunk® Enterprise

Search Reference

dump

The dump command is an internal, unsupported, experimental command. See About internal commands.

Description

For Splunk Enterprise deployments, export search results to a set of chunk files on local disk. For information about other export methods, see Export search results in the Search Manual.

This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. As a result, this command triggers SPL safeguards. See SPL safeguards for risky commands in Securing the Splunk Platform.

Syntax

Required syntax is in bold:

dump
basefilename=<string>
[fields="<comma-delimited-string>"]
[rollsize=<number>]
[compress=<number>]
[format=<string>]

Required arguments

basefilename
Syntax: basefilename=<string>
Description: The prefix of the export filename.
fields
Syntax: fields="<comma-delimited-string>"
Description: The list of the fields to export. The entire list must be enclosed in quotation marks. Invalid field names are ignored.
To export all fields, use a wildcard ( * ). For example, fields="*".

Optional arguments

compress
Syntax: compress=<number>
Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
Default: 2
format
Syntax: format= raw | csv | tsv | json | xml
Description: The output data format.
Default: raw
rollsize
Syntax: rollsize=<number>
Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
Default: 63 MB

Usage

This command exports events to a set of chunk files on local disk at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump". This command recognizes a special field in the input events, _dstpath, which if set is used as a path to be appended to the dst directory to compute the final destination path.

The dump command preserves the order of events as the events are received by the command.

Capability required

The dump command is considered to be a potentially risky command. To use this command, you must have a role with the run_dump capability. See Define roles on the Splunk platform with capabilities.

For more information about risky commands, see SPL safeguards for risky commands.

Examples

Example 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/" directory on local disk with "MyExport" as the prefix of export filenames. Partitioning of the export data is achieved by eval preceding the dump command.

index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport fields="_time, host, source, sourcetype"

Example 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.

index=bigdata | dump basefilename=MyExport fields="_time, host, ipaddress, status"

Example 3: Export all fields from events in the _internal index to the local disk with "TestAllFields" as the prefix of export filenames.

index=_internal | dump basefilename=TestAllFields fields="*" format=json

Last modified on 12 October, 2024
collapse   findkeywords

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters