Getting Data In

After upgrading to 5.0.3, I can only export 100 lines of csv via UI.

the_wolverine
Champion

Upgraded from 4.3.x to 5.0.3 this week and noticed that exporting from UI only produces 100 lines of CSV. Yes, I checked "Unlimited" and even tried checking the 10000 lines option.

Using * | outputcsv myfile.csv produces a csv file with the correct number of lines (more than 100).

0 Karma

bfernandez
Communicator

It is not taking the maxout configuration that is 100 events in a search query by defafult.
Try this CLI example:

Without maxout:

./splunk search "| savedsearch name" -output csv > /data/test/export.csv

(in jobs view) | savedsearch Datos_Grupo_9 | head 100 | export add_timestamp=f add_offset=t format=csv segmentation=raw

With maxout:
./splunk search "| savedsearch name" -output csv -maxout 0 > /data/test/export.csv

(in jobs view) | savedsearch Datos_Grupo_9 | export add_timestamp=f add_offset=t format=csv segmentation=raw

0 Karma

the_wolverine
Champion

So the setting that we used in version 4.3.x did not affect EXPORT but it does in version 5.0?

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

limits.conf

  [restapi]
    # maximum result rows to be returned by /events or /results getters from REST API  
    maxresultrows = 50000

you'll need to increase that, enjoy!

(\__/)
(='.'=)
(")_(")
*shout-out to Rob C. too!

Rob
Splunk Employee
Splunk Employee

Thx Chubbybunny

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...