I am trying to run CLI searches and output it to a...

jsuryaprakash · ‎06-08-2018

Hello Everyone,

I am trying to run below query everyday at 6AM through CLI and output the result to new text file. But it's returning only 100 results. I also tried maxout but its not working and giving me some error, I might be missing something here . Can someone help me to get unlimited results for the query below.

/opt/splunk/bin/splunk search 'index =main sourcetype=employee_data_hcprd earliest=-24h@h latest=now |search HR_STATUS="I" | table EMPLID' > /opt/jobdata.txt

Thanks.
Surya

jowenssi · ‎06-11-2018

The new query would be:

/opt/splunk/bin/splunk search "index =main sourcetype=employee_data_hcprd earliest=-24h@h latest=now |search HR_STATUS=\"I\" | table EMPLID"  -maxout 0 > /opt/jobdata.txt

Ayn · ‎06-08-2018

You need the -maxout switch. By default the CLI will only output 100 results but by using this switch you change that. Set it to 0 if you want to output unlimited results.

https://docs.splunk.com/Documentation/Splunk/7.1.0/Search/ExportdatausingCLI

jsuryaprakash · ‎06-11-2018

Hi Ayn,

I tried it but its but still its returning the 100 results. Can you modify my above query where exactly to add -maxout switch .

jsuryaprakash · ‎06-11-2018

Thanks , got it working.

jowenssi · ‎06-11-2018

The new query would be:

/opt/splunk/bin/splunk search "index =main sourcetype=employee_data_hcprd earliest=-24h@h latest=now |search HR_STATUS="I" | table EMPLID"  -maxout 0 > /opt/jobdata.txt

I am trying to run CLI searches and output it to a file but its only giving 100 results.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms