Splunk Cloud Platform

Search Manual

Export data using Splunk Web

You can export the event data from a search, report, or pivot job to various formats. You can then archive the file, or use the file with a third-party charting application.

  1. After you run a search, report, or pivot, click the Export button. The Export button is one of the Search action buttons.

    This screen image shows the Export button. The button shows an arrow pointing down with a horizontal line under the arrow. The Export button appears on the right side of the screen, immediately to the right of the Print button.

    If the button is not visible, it has been hidden by your system administrator to prevent data export.

    Use the Export Results window to specify the format and name for your export file:
    This screen image shows the Export Results dialog box. The choices in the dialog box are Format, File Name, and Number of Results.

    Sometimes your search must be run again before the results can be exported. See When exporting triggers your search to run again.

  2. Click Format and select the format that you want the search results to be exported in.
    The supported formats depend on the type of job artifact that you are working with.
    Format Ad hoc searches Saved searches Notes
    CSV X X
    JSON X X
    PDF X If the search is a saved search, such as a Report, you can export using the PDF format.
    Raw Events X X If the search generates calculated data that appears on the Statistics tab, you cannot export using the Raw Events format.
    XML X X
  3. Optional. In the File Name field, you can type a name for the export file where the event data will be stored. If you do not specify a file name, a file is created using the search job ID as the file name. The search job ID is the UNIX time when the search was run. For example 1463687468_7.csv.
  4. Optional. In the Number of Results field, you can specify the number of results that you want to export. If you do not specify a number, all of the events are exported. For example, if you specify 500 in the Number of Results field, only the first 500 results returned from your search are exported.
  5. Click Export to save the job events in the export file.

The file is saved in the default download directory for your browser or operating system. For example, for most Windows and Mac OS X users the export file appears in the default Downloads directory. On Linux, check the XDG configuration file for the download directory.

When exporting triggers your search to run again

If your search returns a large number of results, it is possible that not all of the results will be stored with the search job artifact.

When you export search results, the export process is based on the search job artifact, not the results in the Search app. If the artifact does not contain the full set of results, a message appears at the bottom of the Export Results dialog box to tell you that the search will be rerun by the Splunk software before the results are exported.

The search is rerun when the search head believes that it cannot retrieve all of the events from the job artifact. The search head determines when to rerun the search based on the following logic:

  • If the search is not a report, and one of the following is true.
    • The search is not done
    • The search is using a remote timeline
    • The search head believes that the search has not retained all of events

Extend the session timeout when exporting large amounts of data

This capability is not available to Splunk Cloud Platform users.

When you export large amounts of data using the Export button, the session might timeout before the export is complete. Splunk Enterprise users who have a role with the edit_server capability can extend the session timeout limit.

  1. Click Settings > Server Settings > General Settings.
  2. In the Splunk Web section, increase the number in the Session timeout field.
  3. Click Save.

Forward data to third-party systems

You can forward the data that you export to third-party systems.

Use reports to send results to stakeholders

You can schedule reports to run on a regular interval and send the results to project stakeholders by email. The emails can present the report results in tables in the email, and as CSV or PDF attachments. The emails can also include links to the report results in Splunk Enterprise. See Schedule Reports in the Reporting Manual.

Last modified on 26 October, 2021
Export search results   Export data using the CLI

This documentation applies to the following versions of Splunk Cloud Platform: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters