Hello,
Situation: I have uploaded little more than 1 million data rows to one of the splunk indexer via csv file. When I am doing the search from search head I am getting exact number of rows. But when I am searching it through a rest api using sdk, it is unable to return entire data and stopping at some arbitrary number (different everytime).
Config Changes: Under search header I change the maxresultrows to 40000 (default 50000) to keeps iterations of 40000 each. Also< i change max_count to 1.2 million (default 500,000) so that I can get all of my data.
When I trigger my search I can see query reached to Splunk visible from audit.log and in query mentions the exact rows. Also, Iat the sam time I can see iterations happening in splunkd_access.log for 40000 rows for each iteration. But suddenly the search stops at without completing total iteration. The stooping number is also different each time. Sometime at 760000, other 800000 and some other time at 920000. But never completed. i am looking into there logs in search head
I am not able to find nat logs where it could have mentioned when its not able to get all data. In the end I should have got a CSV for all rows
I am using Splunk 6.5.9.
Any suggestions. Thanks
... View more