The export operator does one of the following:

• Sends results generated by a search to an existing Cribl Lake Dataset. (You must create the Dataset first.)
• Sends results generated by a search to an existing Search Dataset. (You must create the Search Dataset first.)
• Creates or updates a lookup from search results.

Only Admin and Editor Search Members can run the export operator. See also specific limitations on exporting to Lake Datasets, to Search Datasets, and to lookups.

Syntax ​

The export operator supports three destination keywords: lake, search, and lookup. Specify one keyword after to to pick the destination type.

If you don’t specify a keyword, export tries to write to a Cribl Lake Dataset, not to a Search Dataset. To export to a Search Dataset or a lookup, you must use the search or lookup keyword explicitly.

Export to Cribl Lake:

Scope | export [ suppressPreviews=Previews ] to [ lake ] LakeDatasetName [ tee=Tee ]

Export to a Search Dataset:

Scope | export [ suppressPreviews=Previews ] to search SearchDatasetID [ tee=Tee ]

Export to a lookup:

Scope | export [ mode=Mode ]
               [ description=Description ]
               [ suppressPreviews=Previews ]
               [ fieldMapping=PairsToMap ]
               [ compress=Compress ]
               to lookup LookupName
               [ tee=Tee ]
               [ maxEvents=MaxEvents ]

Arguments ​

Arguments are case-insensitive.

lake: Export to a Cribl Lake Dataset ​

• Scope: The events to search.
• Previews: Boolean. If false (default), Cribl Search displays intermediate statistics (previews) during the export operation. If true (so, suppressPreviews=true), you’ll see only the final statistics, once the export operation completes.
• LakeDatasetName: The Cribl Lake Dataset to export results to. You must choose an already existing Dataset.
• Tee: Boolean. If set to true, the search results are shown as usual. If false (which is the default), instead of the results, Cribl Search displays statistics related to the export.

Dataset Limitations ​

Typically, you’re exporting data in which Cribl Search has already parsed field names and values. This makes the data compatible with Lakehouses. However, if you happen to send unparsed data, you won’t be able to search it at Lakehouse speed.

The export operator can’t send data to a Cribl Lake Dataset that is populated via Splunk Cloud Direct Access.

search: Export to a Cribl Search Dataset ​

This option exports results to a Search Dataset hosted on a Cribl-managed lakehouse engine.

• Scope: The events to search.
• Previews: Boolean. If false (default), Cribl Search displays intermediate statistics (previews) during the export operation. If true (so, suppressPreviews=true), you’ll see only the final statistics, once the export operation completes.
• SearchDatasetID: The ID of an existing Search Dataset to export results to. The Dataset must be hosted on a lakehouse engine that is in Ready status.
• Tee: Boolean. If set to true, the search results are shown as usual. If false (which is the default), instead of the results, Cribl Search displays statistics related to the export.

lookup: Export to a Lookup ​

• Scope: The events to search.
• Mode: Supports create, overwrite, and append. Defaults to create. If the lookup doesn’t exist, it defaults to create, simplifying scheduled searches. When using append mode, you can include description, fieldMapping, and compress parameters, and if the lookup exists, they are ignored. This streamlines the process of appending data to a lookup as part of scheduled searches, as the table is generated during the first scheduled run and continues to append new content in subsequent runs.
• Description: String. The description to give the lookup.
• Previews: Boolean. If false (default), Cribl Search displays intermediate statistics (previews) during the export operation. If true (so, suppressPreviews=true), you’ll see only the final statistics, once the export operation completes.
• PairsToMap: String. Comma-separated list of sourceName:targetName pairs to map event property names to CSV output names. Defaults to all of the last known list of projected fields.
• Compress: String. Defaults to auto where files larger than 16 KB are compressed. Set as true to compress no matter the size and false to not compress the file.
• LookupName: The lookup file name, without the file extension. For example: a file name of users.csv is entered as users.
• Tee: Boolean. Defaults to false where search results are not shown in Cribl Search. Instead, you get an event with the URL and the number of bytes and events sent or dropped. When true the search results are displayed and no stats are provided. For example: tee=true.
• MaxEvents: The maximum number of events that export will write to the table. Cribl Search will drop any events beyond this limit. Defaults to 10000 (10,000 rows). This is also the maximum number of events that this operator’s lookup mode can handle, so entering a higher MaxEvents still effectively sets a limit of 10000.

Lookup Limitations ​

You can’t use the create mode on an existing lookup. This will trigger an error.

You can’t use the export operator to create or update Pack lookups. For example,
| export to lookup pack(packId).lookupId will not work.

_raw in Exports to Cribl Lake ​

Exports to Lake Datasets include the _raw field. If you want to remove this field, use the project-away operator.

_time in Exports to Cribl Lake ​

Cribl Lake handles the _time field automatically, so Datatype timestamp settings in Cribl Search don’t apply.

If the source event has no _time field, Cribl Lake adds this field, setting its value to now() at write time.

Examples ​

Export search results to the myDataset Lake Dataset:

dataset="cribl_search_sample"
| export to lake myDataset

// you can also drop the `lake` keyword
dataset="cribl_search_sample"
| export to myDataset

Export search results to a Lake Dataset, and remove the _raw field:

dataset="cribl_search_sample"
| export to lake myDataset
| project-away _raw

Export search results to the mySearchDataset Search Dataset:

dataset="cribl_search_sample"
| export to search mySearchDataset

Create a lookup named mylookup with the time and status fields.

dataset="cribl_search_sample" status="*"
| limit 5
| export description="My lookup" fieldMapping="_time:time,status:status" to lookup mylookup

You can verify the contents of the lookup with this command - replacing mylookup with the name of your own lookup file:

dataset="$vt_lookups" lookupFile="mylookup"

Export a lookup with two columns, method and cnt.

dataset=$vt_dummy event<600
| extend _time=_time-rand(600), method=iif(event%2>0, "GET", "POST")
| summarize cnt=count() by method
| export mode=append description="Table with http methods count" to lookup mymethods

To verify that table was exported.

dataset="cribl_lookups" lookup_table=mymethods
| project method, cnt
| render table

Enrich exported results with context about the search that produced them. Using jobID(), user(), and query() adds a provenance trail that lets you distinguish between different result sets in Lake and trace each record back to the search that created it:

dataset=myDataset
| extend search_id=jobID(), run_by=user(), source_query=query()
| export to lake myEnrichedDataset