Reporting

Missing records when exporting to a text file

cesca
Engager

Hi,

I'm using splunk 4.2.4 and performed in the GUI a search that says something easy like host="AAA" OR host="BBB". It works since I can see the records for the AAA host and the BBB host and if pickup just the BBB host I see about 40 records. However, when I export the search result to a text file using the GUI and choosing the Raw data option, there are some records missing in the text file. If there were 1000 entries regarding host AAA and 40 entries regarding host BBB I just see the 1000 from AAA and only 3 entries of host BBB.

Do you have any idea why it can be happening? It only occurs in the exported file. In the GUI I can see all the entries correctly. I'm exporting about 102.000 records.

Thanks a lot,

-- Xavi

0 Karma

cesca
Engager

Hi,

Thanks for the information. I'll try to export it using the CLI commands until the 4.3 is released:

splunk search '*' -maxout 0

splunk search '*' -maxout 0 | wc -l

splunk search '*' -maxout 0 > exportfile.txt

I'll try to find out how to define the time range with theses commands.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I believe the GUI export in 4.2 and lower has a limit of about 10k or 50k entries. In any case, it's less than 102k records. I believe 4.3 will have no such limit.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...