Typically users can easily click on the export button and export data to .csv. For larger data sets, specifically anything with more than 10,000 lines, Splunk hides the export button and will not allow users to export the search results. This is a built-in safety feature that protects Splunk's performance and is designed to prevent a crash.
Ahh, but all is not lost on exporting those massive spreadsheets that management eats up. It does take a little work though. Users must have access to $SPLUNK_HOME/var/run/splunk in order for this to work. At the end of the search string, pipe the results to the .csv of choice. This will store the results in $SPLUNK_HOME/var/run/splunk/<yourcsv.csv>.
Example
index="main" | outputcsv yourcsv.csv
GuardianMS
Guarding your IT Experience!