Folks,
I wrote perl script to run search on remote splunk server. By default the search only returns first 100 events. How can I increase the limit without changing configuration on the server?
Is tried to use max_count but it does not have any effect:
my $response = $browser->post( $url, [ 'search' => $searchQuery, 'max_count' => 10000 ])
Thanks.
What URL are you posting to? By default only 100 results are returned unless you specify "count" as a parameter in the URL, like this:
$url = "https://${splunkserver}:8089/services/search/jobs/${yourjobid}/results?count=0"
What URL are you posting to? By default only 100 results are returned unless you specify "count" as a parameter in the URL, like this:
$url = "https://${splunkserver}:8089/services/search/jobs/${yourjobid}/results?count=0"
Great! Could you please mark the question as answered as it will pop up as unanswered on the site otherwise. Thanks.
Thank you. That fixed the problem.
If I use outputcsv in searhcQuery then it return all rows (more than 10000). It seems that splunk ignores the max_count value.