https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20373#M3170 <P>One problem with the above is, that Splunk will search over all events, and in case you have a few million events and want to query the first 200000, the search will take rather long time (of course depends on the machine it runs on).</P> <P>You need to add <CODE>| head n</CODE> with appropriate <CODE>n</CODE>, e.g. 200000 so that Splunk will return the results as soon as it found the first 200000 events. Further optimization could be to dynamically calculate <CODE>n</CODE> e.g. 50k, 100k, 150k, 200k in each respective iteration.</P> Thu, 27 Jun 2013 15:28:36 GMT andras_kerekes 2013-06-27T15:28:36Z https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20371#M3168 <P>Is there an upper end limit on this value? In certain use cases, there might be a need to return a very large number of results.</P> Tue, 31 May 2011 23:14:06 GMT https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20371#M3168 Chris_Olson 2011-05-31T23:14:06Z https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20372#M3169 <P>I would not raise the limit. Instead, you can simply make multiple calls to the GET endpoint, in blocks smaller than the default <CODE>maxresultrows</CODE> limit of 50,000 until you have exhausted the number of events returned, i.e, the first call uses <CODE>offset=0&amp;count=50000</CODE>, the next uses <CODE>offset=50000&amp;count=50000</CODE>, then <CODE>offset=100000&amp;count=50000</CODE>, etc. Your program that calls the endpoint can output each block as it get it.</P> Wed, 01 Jun 2011 07:48:09 GMT https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20372#M3169 gkanapathy 2011-06-01T07:48:09Z https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20373#M3170 <P>One problem with the above is, that Splunk will search over all events, and in case you have a few million events and want to query the first 200000, the search will take rather long time (of course depends on the machine it runs on).</P> <P>You need to add <CODE>| head n</CODE> with appropriate <CODE>n</CODE>, e.g. 200000 so that Splunk will return the results as soon as it found the first 200000 events. Further optimization could be to dynamically calculate <CODE>n</CODE> e.g. 50k, 100k, 150k, 200k in each respective iteration.</P> Thu, 27 Jun 2013 15:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20373#M3170 andras_kerekes 2013-06-27T15:28:36Z https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20374#M3171 <P>This is incorrect. Splunk lets you query results and events from the REST API before the search has completed. You can see this in effect whenever you perform a large search from the UI (which itself uses the REST API). By trying to engineer smaller searches yourself (which is what you'd do if you were, say, querying against MySQL or a traditional RDBMS, and which is unnecessary in Splunk) you are complicating your code, putting extra load on the server, and possibly preventing your query from effective map-reduce execution.</P> Thu, 27 Jun 2013 16:05:06 GMT https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/20374#M3171 gkanapathy 2013-06-27T16:05:06Z https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/661279#M228308 <P>Hi experts,</P><P>After submitting a search query via REST API, is there a way to check number of events the search results for the job id?</P><P>Without which, I won't know if&nbsp; how many GET each limited to 50K results which is something I run into as well.</P><P>Alternatively, is there an argument that I can use in HTTP GET to splunk to override the 50K limit?</P><P>Thanks,</P><P>MCW</P> Thu, 19 Oct 2023 00:06:16 GMT https://community.splunk.com/t5/Splunk-Search/Upper-Limit-for-REST-API-limits-conf-maxresultrows/m-p/661279#M228308 MCW 2023-10-19T00:06:16Z