Export search results
You can export search results from your Splunk deployment, and forward data to third-party systems, as described in this topic.
What are the available export methods?
The Splunk platform provides several export methods:
Splunk apps
Export options
The export method you choose depends on the data volumes involved and your level of interactivity. For example, a single on-demand search export through Splunk Web might be appropriate for a low-volume export. Alternatively, if you want to set up a higher-volume, scheduled export, the SDK and REST options work best.
For large exports, the most stable method of search data retrieval is the Command Line Interface (CLI). From the CLI, you can tailor your search to external applications using the various Splunk SDKs. The REST API works from the CLI as well, but is recommended only for internal use.
In terms of level of expertise, the Splunk Web and CLI methods are significantly more accessible than the SDKs and REST API, which require previous experience working with software development kits or REST API endpoints.
| Method | Volume | Interactivity | Remarks |
|---|---|---|---|
| Splunk Web | Low | On-Demand, Interactive | Easy to obtain on-demand exports |
| CLI | Medium | On-Demand, Low Interactive | Easy to obtain on-demand exports |
| REST | High | Automated, best for computer-to-computer | Works underneath SDK |
| SDK | High | Automated, best for computer-to-computer | Best for automation |
Supported export formats
You can export Splunk data into the following formats:
- Raw Events (for search results that are raw events and not calculated fields)
- CSV
- JSON
- XML
- PDF (for saved searches, using Splunk Web)