Export search results
You can export search results from your Splunk deployment, and forward data to third-party systems, as described in this topic.
What are the available export methods?
The Splunk platform provides several export methods:
- Export data using Splunk Web
- Export data using the CLI
- Export data using SDKs
- Export data using REST API
- Data forwarding
- Deploy and Use Splunk App for CEF
- Deploy and Use Splunk DB Connect
- Install and Use Splunk ODBC Driver with Microsoft Excel
- Install and Use Splunk ODBC Driver with Microsoft PowerBI
- Install and Use Splunk ODBC Driver with Tableau
The export method you choose depends on the data volumes involved and your level of interactivity. For example, a single on-demand search export through Splunk Web might be appropriate for a low-volume export. Alternatively, if you want to set up a higher-volume, scheduled export, the SDK and REST options work best.
For large exports, the most stable method of search data retrieval is the Command Line Interface (CLI). From the CLI, you can tailor your search to external applications using the various Splunk SDKs. The REST API works from the CLI as well, but is recommended only for internal use.
In terms of level of expertise, the Splunk Web and CLI methods are significantly more accessible than the SDKs and REST API, which require previous experience working with software development kits or REST API endpoints.
|Splunk Web||Low||On-Demand, Interactive||Easy to obtain on-demand exports|
|CLI||Medium||On-Demand, Low Interactive||Easy to obtain on-demand exports|
|REST||High||Automated, best for computer-to-computer||Works underneath SDK|
|SDK||High||Automated, best for computer-to-computer||Best for automation|
Supported export formats
You can export Splunk data into the following formats:
- Raw Events (for search results that are raw events and not calculated fields)
- PDF (for saved searches, using Splunk Web)
Run federated searches
Export data using Splunk Web
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 8.2.2105, 8.0.2006, 7.2.9, 7.2.10, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104