Reporting

Export limit in 5.x

tawollen
Path Finder

I have a 2 search heads distributed to the same servers. I run a search: index=X sourcetype=Y | table A B C

The search completes with 317,000 results.

On 4.3.4 when I do an "unlimited" export (to CSV) I get all 317,000 results
5.0.2 only 50,000 results in the "unlimited" export.

Is there a new limit to "unlimited"?

Tags (1)

Ron_Naken
Splunk Employee
Splunk Employee

The configuration option that should affect the number of results exported for a table is this:

LIMITS.CONF:
[restapi]
maxresultrows = 50000

Increase that value to the desired maximum number of events. It doesn't look as if this limit has changed between version 4.3.4 and 5.x, so maybe you had configured the value in /default and the upgrade overwrote the changes. Be sure to save your configuration changes in a /local folder. Don't forget to restart Splunk after making the change.

As a side note, if you export the events without "| table", you should receive a full list without the option set.

ben_leung
Builder

Is there a bug in this configuration?

Set maxresultrows = 100, exported results as csv file, set to unlimited, gave all results.

Is this the wrong configuration to look at when limiting the returned results from UI export button?

0 Karma

alancalvitti
Path Finder

@Ron Naken , is it possible for users to override maxresultrows in Enterprise version?

0 Karma

ben_leung
Builder

version 6.0.5

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...