Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

ahmadka2
New Member
‎08-06-2016 11:39 AM

I'm using Splunk's Java SDK to get Splunk events, and the problem I'm facing is that Splunk only returns a maximum of 100 events, even if the search originally contains more than 100 events. How can I get all the events instead of just the 100 latest ones ?

I'm calling a one-shot search like this:

ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(USERNAME_HERE);
loginArgs.setPassword(PASSWORD_HERE);
loginArgs.setHost(HOSTURL_HERE);
loginArgs.setPort(PORT_HERE);

HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
Service service = Service.connect(loginArgs);
String searchQuery_normal = SEARCH_STRING_HERE;
JobArgs jobargs = new JobArgs();
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery_normal, jobargs);

//job only contains 100 events maximum

Doing an online search revealed that doing this before calling the search might help, but it doesn't -- I still get only 100 of the newest events, not all:

jobArgs.setAutoFinalizeEventCount(0);
0 Karma
Reply

raksh
New Member
‎09-06-2021 10:25 PM

@ahmadka2 @TechDuke @jkat54 

In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries)

I have confirmed that stream contains all entries by printing it

String result = IOUtils.toString(stream, StandardCharsets.UTF_8);
System.out.println(result);

 

0 Karma
Reply

TechDuke
Engager
‎11-02-2016 05:08 PM

Using the Java SDK, you can pass a JobResultsArgs object to the Job's getResults() method. Specify the count as 0 to return all available results, instead of just 100 (the default setting). 

JobResultsArgs jobResultsArgs = new JobResultsArgs();
jobResultsArgs.setCount(0);
InputStream resultsNormalSearch = job.getResults(jobResultsArgs);

Then you can use the ResultsReaderXml to iterate through all the available events. However, this is still limited to the server's default configuration setting of max 50,000, or whatever it's set to.

For more info, see setCount method in JavaDocs for the Splunk SDK for Java:
http://docs.splunk.com/DocumentationStatic/JavaSDK/1.5.0/com/splunk/JobResultsArgs.html#setCount(int...

Reply

jkat54
SplunkTrust
SplunkTrust
‎08-07-2016 07:21 PM

Add &count=0 to your search uri. It defaults to 100.

http://docs.splunk.com/Documentation/Splunk/6.4.2/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D...

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...