Splunk.com | SplunkBase | Support

Documentation: 3.3

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
- Add more users
  - Splunk local users
- Start searching
Data Inputs
- How input configuration works
- Configure inputs via Splunk Web
  - Configuration
- Configure inputs via the CLI
  - Data input commands
  - Data input types
- Configure inputs via inputs.conf
- Configure inputs for Windows
  - Configure indexing for Windows event logs
  - Configure Windows registry monitoring input
- WMI input
- Windows registry input
- Configure crawl
  - Configuration
  - Example
- Scripted inputs
  - Configuration
  - Example
- Configure whitelist and blacklist rules
- Log file rotation
  - How log rotation works
- Strip syslog headers before processing
  - Configuration
  - Example
- Determine what files Splunk is monitoring
  - Run listtails
- Index SNMP events with Splunk
- log4j
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure target groups in outputs.conf
  - Configuration
  - Example
- Set up routing
- Route specific events to different queues
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Index multi-line events
  - Configuration
  - Examples
- Configure segmentation
  - Splunk Web segmentation
- Configure custom segmentation for a host, source, or source type
  - via props.conf
  - Example
- Mask sensitive data in an event
  - Configuration
- Configure character set encoding
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How timestamp extraction works
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction
- Configure timezone offsets
- Configure European date formats
  - Configure European date format in literals.conf
  - Use the timeformat modifier
- Configure positional timestamp extraction
  - Configure positional timestamp extraction in props.conf
- Tune timestamp extraction for better indexing performance
  - Adjust timestamp lookahead
  - Turn off the timestamp processor
- Train Splunk to recognize a timestamp
Fields
- How fields work
- Create indexed fields via configuration files
  - Configuration
  - Example
- Create extracted fields via configuration files
- Create extracted fields via Splunk Web
- Field actions
  - Configuration
  - Example
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields via fields.conf
  - Example
- Configure tags
  - Configure tags vis tags.conf
  - Examples
- Automatic header-based field extraction
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Rule-based association of source types
  - Configuration
  - Examples
- Set source type for an input
  - via Splunk Web
  - via configuration files
- Set source type for a source
  - via configuration files
- Train Splunk to recognize a source type
  - via the CLI
- Source type settings in props.conf
- Configure a source type alias
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Transaction Types
- How transaction types work
  - Define transactions
  - Sample use cases
- Transaction types via configuration files
  - Configuration
  - Example
- Transaction search
  - Transactions and macro search
Search
- How search works
- Set up saved searches
  - via Splunk Web
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Set up alerts via Splunk Web
  - Set up an alert
  - Specify which fields to show
- Set up alerts via savedsearches.conf
- Customize alert options
  - Email options
  - Additional alert customizations
- Create a form search
- Macro searches
  - Configure a macro search
- Configure summary indexing
  - Summary indexing and license volume
  - Manually configure summary indexing
- Live tail
- Send syslog events
  - Configuration
  - Example
- Send SNMP traps
  - Configuration
  - Configure your alert to call a shell script
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Configure distributed search via distsearch.conf
  - Configuration
  - Example
- Exclude specific Splunk servers from distributed searches
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certificates
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- Splunk data management
  - Index management
  - Configuration files for index management
- Create an index
- Remove (delete) data
- Move an index
  - Configuration
- Set a retirement and archiving policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - via the CLI
  - via Splunk Web
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Configuration
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
  - Configuration
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Splunk backup options
  - Back up configurations
  - Back up your entire installation
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure application directories
  - Make an application directory
  - Best practice
- Configuration file list
Applications
- About applications
- Install Splunk applications
Reference
- Splunk log files
  - Internal logs
  - debug
  - log.cfg
- Work with metrics.log
  - Use metrics.log to troubleshoot issues with data inputs
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- app.conf
  - app.conf.spec
  - app.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- commands.conf
  - commands.conf.spec
  - commands.conf.example
- crawl.conf
  - crawl.conf.example
  - crawl.conf.spec
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- limits.conf
  - limits.conf.spec
  - limits.conf.example
- literals.conf
  - literals.conf.example
- multikv.conf
  - multikv.conf.spec
  - multikv.conf.example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
- props.conf
  - props.conf.example
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
- regmon-filters.conf
  - regmon-filters.conf.spec
  - regmon-filters.conf.example
- restmap.conf
  - restmap.conf.example
  - restmap.conf.spec
- savedsearches.conf
  - savedsearches.conf.example
  - savedsearches.conf.spec
- segmenters.conf
  - segmenters.conf.example
  - segmenters.conf.spec
- server.conf
  - server.conf.example
  - server.conf.spec
- source-classifier.conf
  - source-classifier.conf.example
  - source-classifier.conf.spec
- sourcetypes.conf
  - sourcetypes.conf.example
  - sourcetypes.conf.spec
- streams.conf
  - streams.conf.example
  - streams.conf.spec
- strings.conf
  - strings.conf.example
  - strings.conf.spec
- sysmon.conf
  - sysmon.conf.example
  - sysmon.conf.spec
- tags.conf
  - tags.conf.spec
  - tags.conf.spec
- transactiontypes.conf
  - transactiontypes.conf.example
  - transactiontypes.conf.spec
- transforms.conf
  - transforms.conf.example
  - transforms.conf.spec
- user-seed.conf
  - user-seed.conf.example
  - user-seed.conf.spec
- web.conf
  - web.conf.example
  - web.conf.spec
- wmi.conf
  - wmi.conf.example
  - wmi.conf.spec
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - btool
  - classify
  - exporttool
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 08/11/08 02:08pm

Export event data

Use the export CLI command to copy or archive events from Splunk's indexes. The export command does not remove any data -- it just makes a copy. Since the export command runs on active index files, you must first stop Splunk before you use it.

via the CLI

Note: To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and preface CLI commands with ./splunk.

To export events from your Splunk index type into the CLI:

./splunk export eventdata main -dir /copydir [optional search expression]

Note: Type: ./splunk help export to see all of the export command's available arguments and parameters.

Example

Export a subset of events from your index that are from the host "twinkie":

$SPLUNK_HOME/bin/splunk  export eventdata main -dir /copydir host="twinkie"

via Splunk Web

To export data via Splunk Web, run your search and choose Export from the drop-down menu to the left of the search box.

Select the format of the results (txt or CSV) and and the number of events that should be exported.

Previous: Restore archived data | Next: Disk usage

Comments

No comments have been submitted.

Log in to comment.