Javascript required
Skip to content Skip to sidebar Skip to footer
Home / Splunk Export Timerange and Import Again

Splunk Export Timerange and Import Again

Acrobat logo Download topic as PDF

Export data using Splunk Web

You tin can export the event data from a search, study, or pivot job to various formats. You lot can then annal the file, or use the file with a third-party charting application.

  1. After you lot run a search, study, or pin, click the Export button. The Export button is i of the Search action buttons.

    This screen image shows the Export button. The button shows an arrow pointing down with a horizontal line under the arrow. The Export button appears on the right side of the screen, immediately to the right of the Print button.

    If the button is not visible, it has been subconscious by your system administrator to prevent information export.

  2. Click Format and select the format that you desire the search results to be exported in.
    The supported formats depend on the blazon of job artifact that you are working with.
    Format Ad hoc searches Saved searches Notes
    CSV X X
    JSON X X
    PDF X If the search is a saved search, such as a Study, you tin can export using the PDF format.
    Raw Events X X If the search generates calculated data that appears on the Statistics tab, y'all cannot export using the Raw Events format.
    XML 10 X
  3. Optional. In the File Name field, you can type a proper name for the consign file where the event information will exist stored. If you practise non specify a file proper name, a file is created using the search task ID as the file name. The search job ID is the UNIX time when the search was run. For example 1463687468_7.csv.
  4. Optional. In the Number of Results field, you can specify the number of results that you lot want to export. If you do not specify a number, all of the events are exported. For case, if you specify 500 in the Number of Results field, but the first 500 results returned from your search are exported.
  5. Click Export to relieve the task events in the consign file.

The file is saved in the default download directory for your browser or operating system. For instance, for virtually Windows and Mac OS X users the export file appears in the default Downloads directory. On Linux, check the XDG configuration file for the download directory.

When exporting triggers your search to run once more

If your search returns a large number of results, it is possible that non all of the results volition be stored with the search job artifact.

When you export search results, the export process is based on the search chore antiquity, non the results in the Search app. If the artifact does not contain the full gear up of results, a message appears at the bottom of the Export Results dialog box to tell yous that the search volition exist rerun by the Splunk software earlier the results are exported.

The search is rerun when the search head believes that it cannot retrieve all of the events from the chore artifact. The search head determines when to rerun the search based on the following logic:

  • If the search is not a report, and 1 of the following is true.
    • The search is not done
    • The search is using a remote timeline
    • The search head believes that the search has not retained all of events

Extend the session timeout when exporting large amounts of data

This capability is not available to Splunk Cloud Platform users.

When you export big amounts of data using the Export push button, the session might timeout earlier the export is complete. Splunk Enterprise users who have a role with the edit_server capability can extend the session timeout limit.

  1. Click Settings > Server Settings > General Settings.
  2. In the Splunk Spider web section, increase the number in the Session timeout field.
  3. Click Salvage.

Forward data to third-party systems

You tin can forwards the data that you lot consign to third-party systems.

  • For an brief overview, see Frontwards information to third party systems in this manual.
  • For more details, encounter Forrad information to third party systems in Forwarding Data.

Utilize reports to send results to stakeholders

You lot can schedule reports to run on a regular interval and send the results to project stakeholders by e-mail. The emails can present the written report results in tables in the e-mail, and as CSV or PDF attachments. The emails can also include links to the report results in Splunk Enterprise. See Schedule Reports in the Reporting Manual.

PREVIOUS
Export search results 		NEXT
Export information using the CLI

This documentation applies to the post-obit versions of Splunk® Enterprise: 7.1.0, 7.1.1, vii.one.two, 7.ane.3, vii.ane.4, 7.ane.5, 7.1.half dozen, 7.1.7, 7.1.8, 7.1.nine, vii.ane.10, 7.2.0, 7.2.1, vii.2.2, 7.2.3, 7.2.4, vii.2.five, 7.ii.6, 7.2.vii, vii.2.8, vii.ii.9, vii.2.ten, vii.iii.0, seven.iii.1, 7.three.ii, 7.three.iii, vii.3.4, seven.3.five, seven.three.6, 7.3.vii, seven.3.8, seven.3.9, 8.0.0, 8.0.1, 8.0.ii, eight.0.3, eight.0.iv, viii.0.5, 8.0.6, eight.0.seven, viii.0.eight, viii.0.9, viii.0.10, 8.1.0, eight.1.ane, 8.ane.2, 8.1.iii, eight.one.four, 8.ane.5, eight.1.6, 8.1.7, 8.1.8, 8.one.9, 8.1.ten, 8.ii.0, 8.2.one, 8.2.two, viii.2.3, 8.2.4, eight.2.5, 8.ii.6

troutonounted.blogspot.com

Source: https://docs.splunk.com/Documentation/Splunk/8.2.6/Search/ExportdatausingSplunkWeb