Splunk - Sharing Exporting
When you run a search query the result is stored as a job in the Splunk server. While this job was created by one specific user, it can be shared across with other users so that they can start using this result set without the necessity of building the query for it again. The results can also be exported and saved as files which can be shared with users who do not use Splunk.
Sharing the Search Result
Once a query has run successfully, we can see a small upward arrow in the middle right of the web page. Clicking on this icon gives is a URL where the query and the result can be accessed. Of course, there is a need to grant the permission to the users who will be using this link. Granting permission is done through the Splunk administration interface.
Finding the Saved Results
The jobs that are saved to be used by all users with appropriate permissions can be located by looking for the jobs link under the activity menu in the top right bar of the Splunk interface. In the below diagram we click on the highlighted link named jobs to find the saved jobs.
After the above link is clicked, we get the list of all the saved jobs as shown below. Please note there is an expiry date post which the saved job will automatically get removed form Splunk. You can adjust this date by selecting the job and clicking on Edit selected and then choosing Extend Expiration.
Exporting the Search Result
We can also export the results of a search into a file. The three different formats available for export are CSV, XML and JSON. Clicking the Export button after choosing the formats downloads the file from the local browser into the local system.
