- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Powershell Resource kit Search has Max 100 re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Powershell Resource kit Search has Max 100 results
I have been playing around with the powershell resource kit, trying to use it as a searching interface to use with automation. I am trying to get results in exess of 100 events. Even with the use of the -MaxReturnCount option, it only returns up to 100 (allows to decrease from 100, but not increase above). I have found several other posts on modifying this but not in the powershell resource kit.
As I look at the splunk-core .psm1 file i can see where we could edit the $PostString variable, but thought I should report this as a possible bug.
Example script:
$credential = Get-Credential
Connect-Splunk -Credential $credential –ComputerName Computername
$connection = Get-SplunkConnectionObject
$search = $Connection | Search-Splunk -Search 'source="PS_VMHost_Config" earliest=-10d@d latest=now'-MaxTime 30 -MaxReturnCount 30 -Verbose
Any assistance would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems the powershell parameter maxreturncount creates the header addition "max_count=" when it should simply add "count="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fix committed. Test please! https://github.com/splunk/splunk-reskit-powershell/archive/master.zip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TY Drainy 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Switcharooed to an answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cohatch, why don't you type this up as an Answer so that others can vote on it. I assume that you are talking about changing splunk-search.psm1, line 93 from "max_count" to "count", correct? Write that up as an answer, confirm that you've tested it, and I'll commit it to Github. TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jkcouch. I will get this fixed. I thought we added an override for this but I believe you are you correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cohatch - that fixed it for me too. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update on this? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Brandon!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
