search returns only 50000 events, even if maxEvent...

paramagurukarth · ‎01-22-2015

We are just trying to handle a worst case where number of events crosses 50,000.
I am using python "splunk.search.dispatch" as below

searchjob = splunk.search.dispatch("search index=our_index earliest=-7d@d",sessionKey=sessionkey,hostPath=self.baseurl,maxEvents=30000000)

After the job is done job status contain
eventAvailableCount as 646890
eventCount as 646890

After that when i use, searchjob.getFeed to get result in csv mode as below
searchjob.getFeed(mode='results', outputMode='csv',count=0)

It only return 50,000 events. But it should return 646890 events.

Please let me know whether I have to pass any additional arguments to getFeed method.. or is there any other way to achieve my requirement

paramagurukarth · ‎02-04-2015

Below Code helped me to get my requirement

searchjob = splunk.search.dispatch("searchquery",sessionKey=sessionkey,hostPath=baseurl,earliestTime=earliestTime,latestTime=latestTime,maxEvents=30000000)
resultCount = searchjob.resultCount
offsetValue = 0
searchresults = ""
while offsetValue < resultCount:
searchresults = searchresults + str(searchjob.getFeed(mode='results', outputMode='csv',count=49999,offset=offsetValue))
offsetValue = offsetValue + 49999

paramagurukarth · ‎01-23-2015

Pagination while reading the result from job helped me. Thanks
http://dev.splunk.com/view/SP-CAAAECN#entitiescollections

search returns only 50000 events, even if maxEvents is specified

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life