Suppose a team wants to extract result in JSON format, for one time result we can export it manually, but if a team wants to schedule report/alert, Splunk gives us two options, either you can export it as CSV or in PDF. So for getting the results in JSON format we can use DUMP command in splunk.

Before knowing how DUMP command works, let’s understand about DUMP Command.
DUMP Command :  Dump is an internal search command which export search results to a set of chunk files on local disk.

Syntax :
dump basefilename=< string > [rollsize=< number >] [compress=< number >] [format=< string >] [fields=< comma-delimited-string >]

Required arguments: basefilenameSyntax: basefilename=< string >
Description: The prefix of the export filename.

Optional arguments: compress

Syntax: compress=< number >
Description: The gzip compression level. Specify a number from 0 to 9, where 0 means no compression and a higher number means more compression and slower writing speed.
Default: 2

fields

Syntax: fields=< comma-delimited-string >
Description: A list of the fields to be exported. The entire list must be enclosed in quotation marks. Invalid field names are ignored.

format
Syntax: format= raw | csv | tsv | json | xml
Description: The output data format.
Default: raw

rollsize

Syntax: rollsize=< number >
Description: The minimum file size, in MB, at which point no more events are written to the file and it becomes a candidate for HDFS transfer.
Default: 63 MB

When we will use, this command runs a specified search query and one shot export search result to local disk at “$SPLUNK_HOME/var/run/splunk/dispatch/< sid >/dump”.


Let’s take an example:

Here we want to extract a file in Json Format in our local disk.  We have to use following command.

Index =_internal |stats count by host| dump basefilename=”Internal_data” compress=0 format=json fields=”host, count”

If you are still facing issue regarding dump command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉