Solved: Why using earliest_time and latest_time in oneshot... - Splunk Community

Splunk Dev

I am running a search from a python script, following the example for onetime searches.
I have

searchquery_oneshot = ' search source=xxxx | table _time event screen '
kwargs_oneshot = {'latest_time': '-1h@h', 'output_mode': 'csv', 'earliest_time': '2014-01-01T00:00:00.000'}

It should have returned hundreds of records (when I run the same search and choose the same earliest and latest) ; However, it returned only 82 records for a recent 30 min or so timespan. It didn't even include ALL the records for that 30 mins.

Any suggestions please? I always need to have a fixed earliest time (its value gets calculated every night we run the script)

1 Solution

Solution

The problem was actually that Splunk has a limit on number of records it returns in the result set. I am using oneshot search and there doesn't seem to be a param for setting it to a high number.

View solution in original post

Try setting this in the jobargs before you submit your job:

oneshotSearchArgs.add("count", 0);

Solution

The problem was actually that Splunk has a limit on number of records it returns in the result set. I am using oneshot search and there doesn't seem to be a param for setting it to a high number.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...