https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191587#M2590 <P>Thanks @martin_mueller. I will try that out.</P> Tue, 07 Jul 2015 16:41:37 GMT karan1337 2015-07-07T16:41:37Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191580#M2583 <P>Hi,</P> <P>I am trying to export (Stream) huge search results by using the REST API directly in python. For 1 minute of data, I get about 600,000 events. For 10 minutes I am able to get the data, but when I increase the time for more than 10 minutes, the search auto finalizes. (I see in the Jobs page that my search is not available in the UI, but the dispatch status is "finalizing")</P> <P>My export search is something like: </P> <PRE><CODE>index=somename sourcetype=somename earliest=-20m | table _indextime, _raw </CODE></PRE> <P>Is there any setting that restricts even the export api from streaming all results? </P> Sun, 05 Jul 2015 23:06:00 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191580#M2583 karan1337 2015-07-05T23:06:00Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191581#M2584 <P>For large jobs you'd be better off creating a search "traditionally" by POSTing to <CODE>search/jobs</CODE> instead of <CODE>search/jobs/export</CODE>, retrieve the sid, and then load results off that sid. See this snippet from the docs:</P> <PRE><CODE>If it is too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control, which is a better approach for extremely large result sets that need to be chunked. </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTREF/RESTsearch#search.2Fjobs.2Fexport">http://docs.splunk.com/Documentation/Splunk/6.2.3/RESTREF/RESTsearch#search.2Fjobs.2Fexport</A></P> Sun, 05 Jul 2015 23:20:11 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191581#M2584 martin_mueller 2015-07-05T23:20:11Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191582#M2585 <P>Here's what the docs recommend on exporting large volumes: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Exportsearchresults#Python_SDK">http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Exportsearchresults#Python_SDK</A></P> Sun, 05 Jul 2015 23:28:01 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191582#M2585 martin_mueller 2015-07-05T23:28:01Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191583#M2586 <P>@martin_mueller I tried this and the only issue was streaming using the SDK is taking a hit on performance in my use case. Export or search directly using the REST API is way faster than using the SDK.</P> Sun, 05 Jul 2015 23:37:45 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191583#M2586 karan1337 2015-07-05T23:37:45Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191584#M2587 <P>@martin_mueller I also tried POSTing to /search/jobs. For a large set of results (more than 10 million), this endpoint is not giving me more than 500,009 results ( i don't know the reason for this number). When i append | table * to my query, i do get all results but the result took more than 1 hour to stream back to my remote system from the splunk machine. Such a long time might not be practical for my use case.</P> Mon, 06 Jul 2015 05:15:53 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191584#M2587 karan1337 2015-07-06T05:15:53Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191585#M2588 <P><CODE>| table *</CODE> is a terrible idea because it tells Splunk to extract ALL the fields. Consider <CODE>| table _raw</CODE> instead if that's all you're looking to export.</P> Mon, 06 Jul 2015 16:49:14 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191585#M2588 martin_mueller 2015-07-06T16:49:14Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191586#M2589 <P>You may get <EM>much</EM> better speeds if you set <CODE>output_mode=raw</CODE>:</P> <PRE><CODE>$ curl -k -u admin:changeme <A href="https://localhost:8089/services/search/jobs/export" target="test_blank">https://localhost:8089/services/search/jobs/export</A> -d search="search index=_internal" -d output_mode=raw &gt; outfile % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 686M 0 686M 0 45 13.1M 0 --:--:-- 0:00:52 --:--:-- 12.0M $ cat outfile | wc -l 4007497 </CODE></PRE> <P>Four million events, 700MB, 52 seconds, run on my home all-in-one Splunk instance.</P> Mon, 06 Jul 2015 17:18:54 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191586#M2589 martin_mueller 2015-07-06T17:18:54Z https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191587#M2590 <P>Thanks @martin_mueller. I will try that out.</P> Tue, 07 Jul 2015 16:41:37 GMT https://community.splunk.com/t5/Splunk-Dev/Using-the-REST-API-in-Python-to-export-large-search-results-why/m-p/191587#M2590 karan1337 2015-07-07T16:41:37Z