https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448841#M78007 <P>It seems that the export API endpoint streams results instead of saving them and so allows you to have much larger result sets. </P> <P>The answer to the question is, therefore, not to use the /jobs/search endpoint to create a search job and then later go fetch the results. Instead, use export to stream it all over the wire.</P> Mon, 29 Oct 2018 19:43:11 GMT andrewbeak 2018-10-29T19:43:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448840#M78006 <P>Hi,</P> <P>I'm reading the documentation at <A href="http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTsearch#search.2Fjobs">http://docs.splunk.com/Documentation/Splunk/7.2.0/RESTREF/RESTsearch#search.2Fjobs</A> but I'm having problems getting all the search results that I need.</P> <P>The logic that I thought would work is:</P> <OL> <LI>Create an asynchronous search job</LI> <LI>Regularly poll the job until it is done</LI> <LI>Fetch the resultCount from the job</LI> <LI>Fetch paginated results </LI> </OL> <P>I believe that there is some setting in limits.conf that restricts how many results you can pull at a time. By default, it's set to 50k and I'm using Splunk Cloud, so I can't touch this. That's why I'm fetching pages of results.</P> <P>However, no matter what I set max_count to in the search request, Splunk normalizes this request to 1000. When I call the API to get the number of results in the data-set, it says that there are 1000.</P> <P>Here is a screenshot from inspecting the job:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5996i99ECB3044A6157E5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>What is the best way to use the API to get a large dataset out of Splunk?</P> Mon, 29 Oct 2018 18:27:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448840#M78006 andrewbeak 2018-10-29T18:27:05Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448841#M78007 <P>It seems that the export API endpoint streams results instead of saving them and so allows you to have much larger result sets. </P> <P>The answer to the question is, therefore, not to use the /jobs/search endpoint to create a search job and then later go fetch the results. Instead, use export to stream it all over the wire.</P> Mon, 29 Oct 2018 19:43:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448841#M78007 andrewbeak 2018-10-29T19:43:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448842#M78008 <P>The easiest way to export is in my opinion to do it via <CODE>curl</CODE>. E.g.</P> <PRE><CODE>curl -k -u USERNAME:PASSWORD <A href="https://SPLUNK_URL:8089/services/search/jobs/export" target="test_blank">https://SPLUNK_URL:8089/services/search/jobs/export</A> \ --data-urlencode search='search index="my-index" earliest=0 latest=now | table field1, field2' \ -d output_mode=csv \ -d earliest_time='-y@y' \ -d latest_time='@y' \ -o output-file.csv </CODE></PRE> <P>In this case from the previous year into the file <CODE>output-file.csv</CODE></P> Mon, 21 Jan 2019 14:10:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448842#M78008 happycoding 2019-01-21T14:10:08Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448843#M78009 <P>Andrew, we're getting XML parse errors from the jobs.export API over python SDK, whereas jobs.oneshot completes the same query (albeit too slow for our application). Is there an alternative, fast method to export query results as a single XML or json file perhaps? </P> Fri, 17 Jan 2020 15:15:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448843#M78009 alancalvitti 2020-01-17T15:15:49Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448844#M78010 <P>heres my powershell way of getting large results through rest </P> <P><A href="https://github.com/dstaulcu/SplunkTools/blob/master/Splunk-SearchLargeJobs-Example.ps1">https://github.com/dstaulcu/SplunkTools/blob/master/Splunk-SearchLargeJobs-Example.ps1</A></P> Sat, 18 Jan 2020 06:36:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-export-a-large-dataset-from-the-REST-API/m-p/448844#M78010 dstaulcu 2020-01-18T06:36:03Z