Re: Missing records when exporting to a text file

cesca · ‎11-29-2011

Hi,

I'm using splunk 4.2.4 and performed in the GUI a search that says something easy like host="AAA" OR host="BBB". It works since I can see the records for the AAA host and the BBB host and if pickup just the BBB host I see about 40 records. However, when I export the search result to a text file using the GUI and choosing the Raw data option, there are some records missing in the text file. If there were 1000 entries regarding host AAA and 40 entries regarding host BBB I just see the 1000 from AAA and only 3 entries of host BBB.

Do you have any idea why it can be happening? It only occurs in the exported file. In the GUI I can see all the entries correctly. I'm exporting about 102.000 records.

Thanks a lot,

-- Xavi

cesca · ‎11-29-2011

Hi,

Thanks for the information. I'll try to export it using the CLI commands until the 4.3 is released:

splunk search '*' -maxout 0

splunk search '*' -maxout 0 | wc -l

splunk search '*' -maxout 0 > exportfile.txt

I'll try to find out how to define the time range with theses commands.

gkanapathy · ‎11-29-2011

I believe the GUI export in 4.2 and lower has a limit of about 10k or 50k entries. In any case, it's less than 102k records. I believe 4.3 will have no such limit.

Missing records when exporting to a text file

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!