Pipe Splunk Data to CSV in PowerShell

Ready to get started?

Download a free trial:

Download Now

Learn more:

Splunk Cmdlets

An easy-to-use set of PowerShell Cmdlets offering real-time access to Splunk data. The Cmdlets allow users to easily read, write, update, and delete live data - just like working with SQL server.

Use standard PowerShell cmdlets to access Splunk tables.

The CData Cmdlets Module for Splunk is a standard PowerShell module offering straightforward integration with Splunk. Below, you will find examples of using our Splunk Cmdlets with native PowerShell cmdlets.

Creating a Connection to Your Splunk Data

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

$conn = Connect-Splunk  -user "$user" -password "$password" -URL "$URL"

Selecting Data

Follow the steps below to retrieve data from the DataModels table and pipe the result into to a CSV file:

Select-Splunk -Connection $conn -Table DataModels | Select -Property * -ExcludeProperty Connection,Table,Columns | Export-Csv -Path c:\myDataModelsData.csv -NoTypeInformation

You will notice that we piped the results from Select-Splunk into a Select-Object cmdlet and excluded some properties before piping them into an Export-Csv cmdlet. We do this because the CData Cmdlets append Connection, Table, and Columns information onto each "row" in the result set, and we do not necessarily want that information in our CSV file.

The Connection, Table, and Columns are appended to the results in order to facilitate piping results from one of the CData Cmdlets directly into another one.

Deleting Data

The following line deletes any records that match the criteria:

Select-Splunk -Connection $conn -Table DataModels -Where "Id = SampleDataset" | Remove-Splunk

Inserting and Updating Data

The cmdlets make data transformation easy as well as data cleansing. The following example loads data from a CSV file into Splunk, checking first whether a record already exists and needs to be updated instead of inserted.

Import-Csv -Path C:\MyDataModelsUpdates.csv | %{
  $record = Select-Splunk -Connection $Splunk -Table DataModels -Where ("Id = `'"+$_.Id+"`'")
    Update-Splunk -Connection $splunk -Table DataModels -Columns ("Name","Owner") -Values ($_.Name, $_.Owner) -Where ("Id = `'"+$_.Id+"`'")
    Add-Splunk -Connection $splunk -Table DataModels -Columns ("Name","Owner") -Values ($_.Name, $_.Owner)

As always, our goal is to simplify the way you connect to data. With cmdlets users can install a data module, set the connection properties, and start building. Download Cmdlets and start working with your data in PowerShell today!