https://community.splunk.com/t5/Splunk-Search/Splunk-Java-SDK-Why-does-quot-Export-Search-quot-return/m-p/217219#M63795 <P>May have found at least a partial answer/solution... my query string ended with:</P> <P><CODE>... | table entityKey</CODE></P> <P>What seems to have made a difference is using "fields" instead:</P> <P><CODE>... | fields entityKey | fields - _*</CODE></P> <P>And then of course it turns out this line (which I added after my flailing had begun) prevents the search from ever finishing:</P> <P><CODE>searchArgs.setAutoFinalizeEventCount(0);</CODE></P> <P>So, fix the search string, remove that Arg, and voila: ~4M unique results.</P> Wed, 24 Feb 2016 03:46:12 GMT bentuit 2016-02-24T03:46:12Z https://community.splunk.com/t5/Splunk-Search/Splunk-Java-SDK-Why-does-quot-Export-Search-quot-return/m-p/217218#M63794 <P><STRONG>I've been experimenting with a number of different settings, but here are my current search args:</STRONG></P> <PRE><CODE>JobExportArgs searchArgs = new JobExportArgs(); searchArgs.setIndexEarliest(startDate.toString("YYYY-MM-DDThh:mm:ss.mss")); searchArgs.setIndexLatest(endDate.toString("YYYY-MM-DDThh:mm:ss.mss")); searchArgs.setSearchMode(JobExportArgs.SearchMode.NORMAL); searchArgs.setOutputMode(JobExportArgs.OutputMode.XML); searchArgs.setAutoCancel(0); searchArgs.setAutoFinalizeEventCount(0); searchArgs.setAutoPause(0); </CODE></PRE> <P><STRONG>I then invoke the search and parse the result more or less identically to the code sample in "To run an export search"...</STRONG></P> <PRE><CODE>MultiResultsReaderXml multiResultsReader = new MultiResultsReaderXml(service.export(search, searchArgs)); for (SearchResults searchResults : multiResultsReader) { if (searchResults.isPreview()) log.info("Search in progress"); else log.info("Search finalized"); for (Event event : searchResults) { for (String k: event.keySet()) { String s = event.get(k); // add string to collection } } } </CODE></PRE> <P><STRONG>This returns on the order of 100k-200k results, many of which are duplicates. If I paste the exact same search string into the Web UI, and set the custom time range to the exact same earliest/latest times, I get back ~4M unique results.</STRONG></P> <P>This is a very large search, which is why I opted for the export search (based on documentation); was that the wrong move? Am I doing something wrong in the parsing of my results? Am I missing some vital search arg? You can see I'm setting everything to 0 right now, mostly because I have no idea what might be cutting the search off short.</P> Wed, 24 Feb 2016 01:46:51 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Java-SDK-Why-does-quot-Export-Search-quot-return/m-p/217218#M63794 bentuit 2016-02-24T01:46:51Z https://community.splunk.com/t5/Splunk-Search/Splunk-Java-SDK-Why-does-quot-Export-Search-quot-return/m-p/217219#M63795 <P>May have found at least a partial answer/solution... my query string ended with:</P> <P><CODE>... | table entityKey</CODE></P> <P>What seems to have made a difference is using "fields" instead:</P> <P><CODE>... | fields entityKey | fields - _*</CODE></P> <P>And then of course it turns out this line (which I added after my flailing had begun) prevents the search from ever finishing:</P> <P><CODE>searchArgs.setAutoFinalizeEventCount(0);</CODE></P> <P>So, fix the search string, remove that Arg, and voila: ~4M unique results.</P> Wed, 24 Feb 2016 03:46:12 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Java-SDK-Why-does-quot-Export-Search-quot-return/m-p/217219#M63795 bentuit 2016-02-24T03:46:12Z