https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26045#M4999 <P>There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?</P> Sat, 07 Aug 2010 01:07:55 GMT vcarbona 2010-08-07T01:07:55Z https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26044#M4998 <P>Here's my CLI search:</P> <P>SPLUNK_URI=https://splunk_search_head:8089</P> <P>/opt/splunk/bin/splunk search '|savedsearch "mysavedsearch"' -maxout 10000 -auth admin:changeme -output csv -wrap 0 &gt; customers_splunk</P> <P>When running the above command, I always get 100 results via the CLI both locally and remotely. When I run this locally, I don't add the URI environment variable. Via the Web, I get 300+. Tried the -maxout command even with the value of 0. Any ideas?</P> <P>Here's the saved search:</P> <P>sourcetype="my_vpn" State="QM_IDLE" | eval customer = if(isnull(customer_dst) and isnotnull(customer_src),customer_src,customer_dst) | eval gam = case(match(gam_dst, "null"),gam_src,match(gam_src, "null"),gam_dst)|dedup customer|fields customer,gam |fields - _*</P> <P>However, when I do the following CLI search locally, I do get 10000 results:</P> <P>/opt/splunk/bin/splunk search "sourcetype=my_vpn" -maxout 10000 -auth admin:changeme -output csv -wrap 0 &gt; customers_splunk</P> <P>But when running remotely, I only get 100 results. Is there a special setting I'm missing here?</P> <P>Any help is appreciated. -vc</P> Fri, 06 Aug 2010 10:31:56 GMT https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26044#M4998 vcarbona 2010-08-06T10:31:56Z https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26045#M4999 <P>There seems to be a problem with the "-output csv" parameter. When removed, I get all 10K results but in "rawevents" format. Also used "-output table" and I also get all 10K results. Is there some kind of bug with "-output csv" and it's limiting it to 100 results?</P> Sat, 07 Aug 2010 01:07:55 GMT https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26045#M4999 vcarbona 2010-08-07T01:07:55Z https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26046#M5000 <P>The comment above refers to running searches both locally and remotely.</P> Sat, 07 Aug 2010 03:33:35 GMT https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26046#M5000 vcarbona 2010-08-07T03:33:35Z https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26047#M5001 <P>Yes, there is a known bug when using <CODE>-output csv</CODE>. I believe this affects 4.1.4 and earlier (which is the current version).</P> <P>Not directly your question, but if you are able to use the <CODE>| outputcsv</CODE> search command to write your results to a <CODE>$SPLUNK_HOME/var/run/splunk</CODE> on the local machine and access them from there, that will run <EM>much</EM> faster than using -output csv on the CLI, locally or remotely, especially if you have more than a few hundred results.</P> Sun, 08 Aug 2010 03:25:36 GMT https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26047#M5001 gkanapathy 2010-08-08T03:25:36Z https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26048#M5002 <P>A quick workaround in 4.1.x is to add the flag "-count 0" which will allow up to a -maxout of 50000.</P> Mon, 09 Aug 2010 01:13:57 GMT https://community.splunk.com/t5/Splunk-Search/Remote-and-Local-CLI-search-only-returns-100-events/m-p/26048#M5002 Stephen_Sorkin 2010-08-09T01:13:57Z