topic Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK? in Splunk Search

Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

ahmadka2 — Sat, 06 Aug 2016 18:39:14 GMT

I'm using Splunk's Java SDK to get Splunk events, and the problem I'm facing is that Splunk only returns a maximum of 100 events, even if the search originally contains more than 100 events. How can I get all the events instead of just the 100 latest ones ?

I'm calling a one-shot search like this:

ServiceArgs loginArgs = new ServiceArgs();
loginArgs.setUsername(USERNAME_HERE);
loginArgs.setPassword(PASSWORD_HERE);
loginArgs.setHost(HOSTURL_HERE);
loginArgs.setPort(PORT_HERE);

HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);
Service service = Service.connect(loginArgs);
String searchQuery_normal = SEARCH_STRING_HERE;
JobArgs jobargs = new JobArgs();
jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
Job job = service.getJobs().create(searchQuery_normal, jobargs);

//job only contains 100 events maximum

Doing an online search revealed that doing this before calling the search might help, but it doesn't -- I still get only 100 of the newest events, not all:

jobArgs.setAutoFinalizeEventCount(0);

Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

jkat54 — Mon, 08 Aug 2016 02:21:36 GMT

Add &count=0 to your search uri. It defaults to 100.

http://docs.splunk.com/Documentation/Splunk/6.4.2/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fresults

Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

TechDuke — Thu, 03 Nov 2016 00:08:36 GMT

Using the Java SDK, you can pass a JobResultsArgs object to the Job's getResults() method. Specify the count as 0 to return all available results, instead of just 100 (the default setting).

JobResultsArgs jobResultsArgs = new JobResultsArgs();
jobResultsArgs.setCount(0);
InputStream resultsNormalSearch = job.getResults(jobResultsArgs);

Then you can use the ResultsReaderXml to iterate through all the available events. However, this is still limited to the server's default configuration setting of max 50,000, or whatever it's set to.

For more info, see setCount method in JavaDocs for the Splunk SDK for Java:
http://docs.splunk.com/DocumentationStatic/JavaSDK/1.5.0/com/splunk/JobResultsArgs.html#setCount(int)

Re: Why am I only getting a maximum of 100 events returned through a oneshot search via Java SDK?

raksh — Tue, 07 Sep 2021 05:30:53 GMT

@ahmadka2 @TechDuke @jkat54

In my case even after setting the setCount to 0, I am unable to read it via ResultsReaderJson (Is it again possible if ResultsReaderJson reads only first 100 entries)

I have confirmed that stream contains all entries by printing it

String result = IOUtils.toString(stream, StandardCharsets.UTF_8);
System.out.println(result);