Splunk Search

Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

ahmadka2
New Member

I'm using Splunk's Java SDK to get Splunk events, and the problem I'm facing is that Splunk only returns a maximum of 100 events, even if the search originally contains more than 100 events. How can I get all the events instead of just the 100 latest ones ?

I'm calling a one-shot search like this:

ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(USERNAME_HERE);
loginArgs.setPassword(PASSWORD_HERE);
loginArgs.setHost(HOSTURL_HERE);
loginArgs.setPort(PORT_HERE);

HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
Service service = Service.connect(loginArgs);
String searchQuery_normal = SEARCH_STRING_HERE;
JobArgs jobargs = new JobArgs();
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery_normal, jobargs);

//job only contains 100 events maximum

Doing an online search revealed that doing this before calling the search might help, but it doesn't -- I still get only 100 of the newest events, not all:

jobArgs.setAutoFinalizeEventCount(0);
0 Karma

raksh
New Member

@ahmadka2 @TechDuke @jkat54 

In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries)

I have confirmed that stream contains all entries by printing it

String result = IOUtils.toString(stream, StandardCharsets.UTF_8);
System.out.println(result);

 

0 Karma

TechDuke
Engager

Using the Java SDK, you can pass a JobResultsArgs object to the Job's getResults() method. Specify the count as 0 to return all available results, instead of just 100 (the default setting).

JobResultsArgs jobResultsArgs = new JobResultsArgs();
jobResultsArgs.setCount(0);
InputStream resultsNormalSearch = job.getResults(jobResultsArgs);

Then you can use the ResultsReaderXml to iterate through all the available events. However, this is still limited to the server's default configuration setting of max 50,000, or whatever it's set to.

For more info, see setCount method in JavaDocs for the Splunk SDK for Java:
http://docs.splunk.com/DocumentationStatic/JavaSDK/1.5.0/com/splunk/JobResultsArgs.html#setCount(int...

jkat54
SplunkTrust
SplunkTrust
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...