Splunk ODBC with Tableau not returning full data s...

marcjimz · ‎04-07-2017

Hello there -

I am able to connect to my Splunk saved search in the Tableau desktop tool, but when pulling the results I can only get a partial return of my data set. For some saved searches the max # of records I can get is a 1000, and for others it is 555. I am thinking this is a parameter configured somewhere that is not enabling me to pull all the records.

Any ideas?

DalJeanis · ‎04-12-2017

Start by adding | table field1 field2...etc to the end of your search query with the fields you need to return, then retest.

Often, that avoids this issue.

https://answers.splunk.com/answers/93990/savedsearch-command-only-returns-maximum-10000-results.html

If that doesn't solve your problem, then look at limits.conf (maxresultrows) and savedsearches.conf (dispatch.max_count). Neither of these fields normally defaults to 1000, so they are probably not the issue, but those are some places to look.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Savedsearchesconf

marcjimz · ‎04-12-2017

Thanks DalJeanis for looking into my problem. I tried a different instance of splunk (our non-prod instance), and this time it returns 29k records. But I notice that this # is actually the # of the last written entry to the index - we write about 29k records every 30 minutes. So I should be pulling way more than 29k records but somehow the ODBC connector limits itself to the last search run time.

Any ideas?

Splunk ODBC with Tableau not returning full data set

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?