I have a splunk container running on docker and I have some raw splunk index data (zeek, goose, iris_plus, etc.) with db directories containing .tsidx, .data, .dat files, and a journal file. How (and where) can I run a CLI search to get all possible events?
TIA!
Except for very small Splunk installations, a single CLI command is unlikely to be able to retrieve all indexed data before reaching the 50k output size limit. You'll have to run multiple commands to get it all.
Where you run the search doesn't matter because Splunk knows where to find the data on your behalf.
The query itself is simple: index=foo earliest=0 latest=now. Be sure to replace foo with the name of the index you want to search.