After making a search on the search head, clicking on the "Export" icon on the GUI, and after waiting up to a minute for the download to start, the file I receive has a size of 32768 bytes, whereas it should have been 284050 bytes. This happens only sometimes, and for no apparent reason.
Is this a known bug? Can I do something against it?
There are quite a few limitations, which could block you to get the whole data.
One of 'em is simply the fact of 50000-lines-limit on csv-exports. (even if u click on "unlimited")
well, I am coming back to my older request, could you please provide more details about your search query.
One Thing which comes into my mind is the default 10000 records limit on the sort command.
I am using "Raw Events" instead of csv as the output format. Does that still apply?
afaik only csv
But you can check it easily via wordcount
wc -l file
could you please provide more details:
how many lines does your export contain, and does your search include a sort command?