dump command is an internal, unsupported, experimental command. See
About internal commands
For Splunk Enterprise deployments, export search results to a set of chunk files on local disk. For information about other export methods, see Export search results in the Search Manual.
dump basefilename=<string> [rollsize=<number>] [compress=<number>] [format=<string>] [fields=<comma-delimited-string>]
- Syntax: basefilename=<string>
- Description: The prefix of the export filename.
- Syntax: compress=<number>
- Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
- Default: 2
- Syntax: fields=<comma-delimited-string>
- Description: A list of the fields to be exported. The entire list must be enclosed in quotation marks. Invalid field names are ignored.
- Syntax: format= raw | csv | tsv | json | xml
- Description: The output data format.
- Default: raw
- Syntax: rollsize=<number>
- Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
- Default: 63 MB
This command runs a specified search query and oneshot export search result to local disk at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump". It recognizes a special field in the input events, _dstpath, which if set will be used as a path to be appended to dst to compute final destination path.
dump command preserves the order of events as the events are received by the command.
Example 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/" directory on local disk with "MyExport" as the prefix of export filenames. Partitioning of the export data is achieved by eval preceeding the dump command.
index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport
Example 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.
index=bigdata | dump basefilename=MyExport
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the dump command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 8.0.0, 7.0.11, 7.0.3, 7.0.5, 7.0.0, 7.1.3, 7.0.2, 7.0.8, 7.1.6, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9