dump command is an internal, unsupported, experimental command. See
About internal commands.
For Splunk Enterprise deployments, export search results to a set of chunk files on local disk. For information about other export methods, see Export search results in the Search Manual.
dump basefilename=<string> [rollsize=<number>] [compress=<number>] [format=<string>] [fields=<comma-delimited-string>]
- Syntax: basefilename=<string>
- Description: The prefix of the export filename.
- Syntax: compress=<number>
- Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
- Default: 2
- Syntax: fields=<comma-delimited-string>
- Description: A list of the fields to be exported. The entire list must be enclosed in quotation marks. Invalid field names are ignored.
- Syntax: format= raw | csv | tsv | json | xml
- Description: The output data format.
- Default: raw
- Syntax: rollsize=<number>
- Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
- Default: 63 MB
This command exports events to a set of chunk files on local disk at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump". This command recognizes a special field in the input events,
_dstpath, which if set is used as a path to be appended to the
dst directory to compute the final destination path.
dump command preserves the order of events as the events are received by the command.
Example 1: Export all events from index "bigdata" to the location "YYYYmmdd/HH/host" at "$SPLUNK_HOME/var/run/splunk/dispatch/<sid>/dump/" directory on local disk with "MyExport" as the prefix of export filenames. Partitioning of the export data is achieved by eval preceeding the dump command.
index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport
Example 2: Export all events from index "bigdata" to the local disk with "MyExport" as the prefix of export filenames.
index=bigdata | dump basefilename=MyExport
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2011, 8.1.2012, 8.1.2009, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107