https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449409#M172380 <P>First, yes, we are using "-maxout 0"<BR /> For some reason, on one of our hosts, when we run a particular query that pipes into a table, it only returns around ~3000 rows depending on the 24 hour period we are searching for.<BR /> Here are some of the unusual things we've noticed:<BR /> (1) Its not a resource issue. We have upgraded the host to 32 GB memory and 12 cores.<BR /> (2) If we run the query and just have it return raw events, it works as expected.<BR /> (3) The query works on another host in our cluster as expected so query is good.<BR /> (4) If we run for a window that is 3 hours or LESS it will return the number of rows as expected. 4 hours or more and it returns only around 3000 rows.<BR /> (5) I did notice that around 3 hours, it returns just under 1 million rows. Im wondering if there is a 1 million rows limit for tables in the CLI.<BR /> (6) This runs as expected in the Splunk web GUI.</P> <P>Any ideas?</P> Tue, 19 Mar 2019 15:15:28 GMT EricLloyd79 2019-03-19T15:15:28Z https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449409#M172380 <P>First, yes, we are using "-maxout 0"<BR /> For some reason, on one of our hosts, when we run a particular query that pipes into a table, it only returns around ~3000 rows depending on the 24 hour period we are searching for.<BR /> Here are some of the unusual things we've noticed:<BR /> (1) Its not a resource issue. We have upgraded the host to 32 GB memory and 12 cores.<BR /> (2) If we run the query and just have it return raw events, it works as expected.<BR /> (3) The query works on another host in our cluster as expected so query is good.<BR /> (4) If we run for a window that is 3 hours or LESS it will return the number of rows as expected. 4 hours or more and it returns only around 3000 rows.<BR /> (5) I did notice that around 3 hours, it returns just under 1 million rows. Im wondering if there is a 1 million rows limit for tables in the CLI.<BR /> (6) This runs as expected in the Splunk web GUI.</P> <P>Any ideas?</P> Tue, 19 Mar 2019 15:15:28 GMT https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449409#M172380 EricLloyd79 2019-03-19T15:15:28Z https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449410#M172381 <P>Can you share the query?</P> Tue, 19 Mar 2019 15:50:51 GMT https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449410#M172381 richgalloway 2019-03-19T15:50:51Z https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449411#M172382 <P>Sure.</P> <P>/opt/splunk/bin/splunk search 'sourcetype=xyz url=/foo/bar.jsp kpi01 earliest="03/06/2019:00:00:00" latest="03/06/2019:23:59:59" | rex field=_raw "(?:[^=\n]*=){2}(?P[^ ]+)" | eval date=strftime(_time, "%Y%m%d") | table date, mdn, fullItemID | streamstats count as row | fields row *' -maxout 0 &gt;&gt; output15.log</P> Tue, 29 Sep 2020 23:46:03 GMT https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449411#M172382 EricLloyd79 2020-09-29T23:46:03Z https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449412#M172383 <P>I tried it without the regex and it produced the same ~3000 rows only.</P> Tue, 19 Mar 2019 16:11:56 GMT https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449412#M172383 EricLloyd79 2019-03-19T16:11:56Z https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449413#M172384 <P>As a side note, when I print results as a table, it gets to about 431207 then halts for a second and then starts over at 1 and goes to about 3000.</P> <P>ex:</P> <P>431200 20190306 abc 5551212<BR /> 431201 20190306 abc 5551212<BR /> 431202 20190306 abc 5551212<BR /> 431203 20190306 abc 5551212<BR /> 431204 20190306 abc 5551212<BR /> 431205 20190306 abc 5551212<BR /> 431206 20190306 abc 5551212<BR /> 431207 20190306 abc 5551212<BR /> row date fullItemID mdn</P> <HR /> <P>1 20190306 abc 5551212<BR /> 2 20190306 abc 5551212<BR /> 3 20190306 abc 5551212<BR /> 4 20190306 abc 5551212<BR /> 5 20190306 abc 5551212<BR /> ... </P> Tue, 19 Mar 2019 16:30:39 GMT https://community.splunk.com/t5/Splunk-Search/Limited-rows-returned-Splunk-CLI-for-a-table/m-p/449413#M172384 EricLloyd79 2019-03-19T16:30:39Z