dump basefilename=< string > [rollsize=< number >] [compress=< number >] [format=< string >] [fields=< comma-delimited-string >] Required arguments: basefilenameSyntax: basefilename=< string >
Description: The prefix of the export filename.
Optional arguments: compress
Syntax: compress=< number >
Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
Default: 2
fields
Syntax: fields=< comma-delimited-string >
Description: A list of the fields to be exported. The entire list must be enclosed in quotation marks. Invalid field names are ignored.
format
Syntax: format= raw | csv | tsv | json | xml
Description: The output data format.
Default: raw
rollsize
Syntax: rollsize=< number >
Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
Default: 63 MB
When we will use, this command runs a specified search query and one shot export search result to local disk at “$SPLUNK_HOME/var/run/splunk/dispatch/< sid >/dump”.
Let’s take an example:
Here we want to extract a file in Json Format in our local disk. We have to use following command.
Index =_internal |stats count by host| dump basefilename=”Internal_data” compress=0 format=json fields=”host, count”
If you are still facing issue regarding dump command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉
