Here's my CLI search:
SPLUNK_URI=https://splunk_search_head:8089
/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk
When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?
Here's the saved search:
sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*
However, when I do the following CLI search locally, I do get 10000 results:
/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 > customers_splunk
But when running remotely, I only get 100 results. Is there a special setting I'm missing here?
Any help is appreciated. -vc
Yes, there is a known bug when using -output csv
. I believe this affects 4.1.4 and earlier (which is the current version).
Not directly your question, but if you are able to use the | outputcsv
search command to write your results to a $SPLUNK_HOME/var/run/splunk
on the local machine and access them from there, that will run much faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.
A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.
The comment above refers to running searches both locally and remotely.
There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?