Reporting

export raw logs from splunk

paymon
Engager

if i wanted to get a copy of the uncooked or raw syslogs from splunk how would i do that?

exporttool seems to only export csv and not raw syslogs.

Tags (1)

PvandenHondel
Explorer

Addendum 2:

Add

...| table _raw | outputcsv output.raw

to your query and find the result file output.raw in the directory

$SPLUNK_HOME/var/run/splunk/csv

0 Karma

jabineer
New Member

Addendum to Maverick's words of wisdom...

Add a filename after outputcsv and find it in $SPLUNK_HOME/var/run/splunk/ directory.

...| table _raw | outputcsv mySearch.csv

0 Karma

maverick
Splunk Employee
Splunk Employee

You can run a search to bring back all of the raw events that you would like to export over the time range that is appropriate.

then append this to the end of our search:

| table _raw | outputcsv

The outputcsv file containing your results should be in $SPLUNK_HOME/var/run/splunk/ directory.

Stephen_Sorkin
Splunk Employee
Splunk Employee

Given your reference to exporttool, I'd imagine that the other answers here aren't quite right, as they deal with streaming data out at the same time it's indexed.

You probably want to look at the export capabilities added to CLI search in version 4.1. A CLI search like the following will stream all events out of the index to standard out, and can be piped into other programs or redirected into other files:

splunk search '*' -maxout 0
splunk search '*' -maxout 0 | wc -l
splunk search '*' -maxout 0 > exportfile.txt

You can replace the '*' here with any search on keywords or fields. In fact, as long as the search is non-transforming (no stats, sort, timechart, top, ...) you can use other search commands like lookup, eval, where, regex.

gkanapathy
Splunk Employee
Splunk Employee

And of course you can still use ./splunk export rather than exporttool.

piebob
Splunk Employee
Splunk Employee

this might also be useful. it's not 'raw' syslog, but you can forward the data in syslog format: http://www.splunk.com/base/Documentation/latest/Admin/Forwarddatatothird-partysystems

0 Karma

piebob
Splunk Employee
Splunk Employee

there are worse things to have on the brain... 🙂

0 Karma

Lowell
Super Champion

Thanks for the edit piebob, looks like I have 'logs' on the brain. 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...