Splunk Search

How to use the C# SDK to return a large search result set (5,000,000 rows)?

pateld
Explorer

Hi

I have a "Saved Report" (Named- GetIP), which finds unique IP passed through firewall for th Last 30 days. It reports data approximately 5,000,000 rows.

Search is like this:

index=myIPIndex  | stats max(_time) as LastSeen,Count by foundIP | convert ctime(LastSeen) | sort -LastSeen

I am using C# SDK 2.0. Can someone provide working example to retrieve all 5,000,000 rows? I am getting only first 10,000 rows which is max row defined by Splunk.

Thanks

0 Karma
1 Solution

lguinn2
Legend

For a start, don't use the sort command in your search. The sort command output is limited to 10,000 results; this is probably the source of your difficulties. See the sort documentation here.

Plus, if you want to sort 5 million values, do it outside of Splunk...

View solution in original post

lguinn2
Legend

For a start, don't use the sort command in your search. The sort command output is limited to 10,000 results; this is probably the source of your difficulties. See the sort documentation here.

Plus, if you want to sort 5 million values, do it outside of Splunk...

pateld
Explorer

I was "sort" command which has limit for 10000
thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...