icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Export Everything
SHA256 checksum (export-everything_200.tgz) 0ef7785a939e5019aa1dacf1af7a2d296604c0ae469926b5fd8a79e6dfbebea0
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Export Everything

Overview
Details
This add-on exports your Splunk search results to remote destinations so you can do more with your Splunk data. Search commands and alert actions export your data to multiple destination types, with any fields, in nearly any format.

Export Everything - Splunk Add-On by Deductiv

This add-on exports your Splunk search results to remote destinations so you can do more with your Splunk data. It provides search commands and alert actions to export/push/upload/share your data to multiple destinations of each type. The app must be configured via the Setup dashboard before using it. The setup dashboard includes a connection test feature in the form of a "Browse" action for all file-based destinations.

Supported Export Formats

  • JSON
  • Raw Text
  • KV Pairs
  • Comma-Delimited (CSV)
  • Tab-Delimited (TSV)
  • Pipe-Delimited

File-Based Destinations

  • Amazon Web Services (AWS) S3-Compatible Object Storage
  • Box.com Cloud Storage
  • Windows/SMB File Shares
  • SFTP Servers

Streaming Destinations

  • Splunk HTTP Event Collector

Credential Management

Use the Credentials tab to manage usernames, passwords, and passphrases (used for private keys) within the Splunk secret store. Certain use cases (such as private key logins) may not require a password, but Splunk requires one to be entered anyway. For passphrases, type any description into the username field. OAuth credentials such as those for AWS use the username field for the access key and the password field for the secret access key. Due to the way Splunk manages credentials, the username field cannot be changed once it is saved.

Authorization via Capabilities

Add read capabilities for each command to users who require access to use the search command or alert action. Add write capability to allow them to make changes to the configuration. By default, admin has full access and power has read-only access. Credential permissions must be granted separately, but are required to use each command that depends on them.


AWS S3-Compatible Object Storage Export (epawss3)

Export Splunk search results to AWS S3-compatible object storage. Connections can be configured to authenticate using OAuth credentials or the assumed role of the search head EC2 instance.

Capabilities

  • configure_ep_aws_s3_read
  • configure_ep_aws_s3_write

Search Command Syntax

<search> | epawss3  
        target=<target name/alias>  
        bucket=<bucket>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        compress=[true|false]  

Arguments

  • Target

    Syntax: target=<target name/alias>
    Description: The name/alias of the destination connection
    Default: The target specified as the default within the setup dashboard

  • Bucket

    Syntax: bucket=<bucket name>
    Description: The name of the destination S3 bucket
    Default: Specified within the target configuration

  • Output File

    Syntax: outputfile=<[folder/]file name>
    Description: The name of the file to be written to the destination. If compression=true, a .gz extension will be appended. If compression is not specified and the filename ends in .gz, compression will automatically be applied.
    Default: app_username_epoch.ext (e.g. search_admin_1588000000.log). json=.json, csv=.csv, tsv=.tsv, pipe=.log, kv=.log, raw=.log
    Keywords: __now__=epoch, __today__=date in yyyy-mm-dd format, __nowft__=timestamp in yyyy-mm-dd_hhmmss format.

  • Output Format

    Syntax: outputformat=[json|raw|kv|csv|tsv|pipe]
    Description: The format for the exported search results
    Default: csv

  • Fields

    Syntax: fields="field1, field2, field3"
    Description: Limit the fields to be written to the exported file. Wildcards are supported.
    Default: All (*)

  • Compression

    Syntax: compress=[true|false]
    Description: Create the file as a .gz compressed archive
    Default: Specified within the target configuration


Box Export (epbox)

Export Splunk search results to Box cloud storage. Box must be configured with a Custom App using Server Authentication (with JWT) and a certificate generated. Then, the app must be submitted for approval by the administrator. The administrator should create a folder within the app's account and share it with the appropriate users.

Capabilities

  • configure_ep_box_read
  • configure_ep_box_write

Search Command Syntax

<search> | epbox  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        compress=[true|false]  

Arguments

  • Target

    Syntax: target=<target name/alias>
    Description: The name/alias of the destination connection
    Default: The target specified as the default within the setup dashboard

  • Output File

    Syntax: outputfile=<[folder/]file name>
    Description: The name of the file to be written to the destination. If compression=true, a .gz extension will be appended. If compression is not specified and the filename ends in .gz, compression will automatically be applied.
    Default: app_username_epoch.ext (e.g. search_admin_1588000000.log). json=.json, csv=.csv, tsv=.tsv, pipe=.log, kv=.log, raw=.log
    Keywords: __now__=epoch, __today__=date in yyyy-mm-dd format, __nowft__=timestamp in yyyy-mm-dd_hhmmss format.

  • Output Format

    Syntax: outputformat=[json|raw|kv|csv|tsv|pipe]
    Description: The format for the exported search results
    Default: csv

  • Fields

    Syntax: fields="field1, field2, field3"
    Description: Limit the fields to be written to the exported file. Wildcards are supported.
    Default: All (*)

  • Compression

    Syntax: compress=[true|false]
    Description: Create the file as a .gz compressed archive
    Default: Specified within the target configuration


Windows/SMB Export (epsmb)

Export Splunk search results to SMB file shares.

Capabilities

  • configure_ep_smb_read
  • configure_ep_smb_write

Search Command Syntax

<search> | epsmb  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        compress=[true|false]  

Arguments

  • Target

    Syntax: target=<target name/alias>
    Description: The name/alias of the destination connection
    Default: The target specified as the default within the setup dashboard

  • Output File

    Syntax: outputfile=<[folder/]file name>
    Description: The name of the file to be written to the destination. If compression=true, a .gz extension will be appended. If compression is not specified and the filename ends in .gz, compression will automatically be applied.
    Default: app_username_epoch.ext (e.g. search_admin_1588000000.log). json=.json, csv=.csv, tsv=.tsv, pipe=.log, kv=.log, raw=.log
    Keywords: __now__=epoch, __today__=date in yyyy-mm-dd format, __nowft__=timestamp in yyyy-mm-dd_hhmmss format.

  • Output Format

    Syntax: outputformat=[json|raw|kv|csv|tsv|pipe]
    Description: The format for the exported search results
    Default: csv

  • Fields

    Syntax: fields="field1, field2, field3"
    Description: Limit the fields to be written to the exported file. Wildcards are supported.
    Default: All (*)

  • Compression

    Syntax: compress=[true|false]
    Description: Create the file as a .gz compressed archive
    Default: Specified within the target configuration


SFTP Export (epsftp)

Export Splunk search results to SFTP servers.

Capabilities

  • configure_ep_sftp_read
  • configure_ep_sftp_write

Search Command Syntax

<search> | epsftp  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        compress=[true|false]  

Arguments

  • Target

    Syntax: target=<target name/alias>
    Description: The name/alias of the destination connection
    Default: The target specified as the default within the setup dashboard

  • Output File

    Syntax: outputfile=<[folder/]file name>
    Description: The name of the file to be written to the destination. If compression=true, a .gz extension will be appended. If compression is not specified and the filename ends in .gz, compression will automatically be applied.
    Default: app_username_epoch.ext (e.g. search_admin_1588000000.log). json=.json, csv=.csv, tsv=.tsv, pipe=.log, kv=.log, raw=.log
    Keywords: __now__=epoch, __today__=date in yyyy-mm-dd format, __nowft__=timestamp in yyyy-mm-dd_hhmmss format.

  • Output Format

    Syntax: outputformat=[json|raw|kv|csv|tsv|pipe]
    Description: The format for the exported search results
    Default: csv

  • Fields

    Syntax: fields="field1, field2, field3"
    Description: Limit the fields to be written to the exported file. Wildcards are supported.
    Default: All (*)

  • Compression

    Syntax: compress=[true|false]
    Description: Create the file as a .gz compressed archive
    Default: Specified within the target configuration


Splunk HEC Export (ephec)

Push Splunk search results to a Splunk HTTP Event Collector (HEC) listener.

Capabilities

  • configure_ep_hec_read
  • configure_ep_hec_write

Search Command Syntax

<search> | ephec  
        target=<target name/alias>  
        host=[host_value|$host_field$]  
        source=[source_value|$source_field$]  
        sourcetype=[sourcetype_value|$sourcetype_field$]  
        index=[index_value|$index_field$]  

Arguments

  • Host

    Syntax: host=[host_value|$host_field$]
    Description: Field or string to be assigned to the host field on the pushed event
    Default: $host$, or if not defined, the hostname of the sending host (from inputs.conf)

  • Source

    Syntax: source=[source_value|$source_field$]
    Description: Field or string to be assigned to the source field on the pushed event
    Default: $source$, or if not defined, it is omitted

  • Sourcetype

    Syntax: sourcetype=[sourcetype_value|$sourcetype_field$]
    Description: Field or string to be assigned to the sourcetype field on the pushed event
    Default: $sourcetype$, or if not defined, json

  • Index

    Syntax: index=[index_value|$index_field$]
    Description: The remote index in which to store the pushed event
    Default: $index$, or if not defined, the remote endpoint's default.


Support

Having trouble with the app? Feel free to email us and we’ll help you sort it out. You can also reach the author on the Splunk Community Slack.

Roadmap

We welcome your input on our app feature roadmap, which can be found on Trello.

Release Notes

Version 2.0.0
Sept. 10, 2021

Initial release

20
Installs
14
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.