All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ODBC with Tableau not returning full data set

marcjimz
New Member
‎04-07-2017 06:18 AM

Hello there -

I am able to connect to my Splunk saved search in the Tableau desktop tool, but when pulling the results I can only get a partial return of my data set. For some saved searches the max # of records I can get is a 1000, and for others it is 555. I am thinking this is a parameter configured somewhere that is not enabling me to pull all the records.

Any ideas?

0 Karma
Reply

DalJeanis
Legend
‎04-12-2017 09:46 AM

Start by adding | table field1 field2...etc to the end of your search query with the fields you need to return, then retest.

Often, that avoids this issue.

https://answers.splunk.com/answers/93990/savedsearch-command-only-returns-maximum-10000-results.html

If that doesn't solve your problem, then look at limits.conf (maxresultrows) and savedsearches.conf (dispatch.max_count). Neither of these fields normally defaults to 1000, so they are probably not the issue, but those are some places to look.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Savedsearchesconf

0 Karma
Reply

marcjimz
New Member
‎04-12-2017 12:37 PM

Thanks DalJeanis for looking into my problem. I tried a different instance of splunk (our non-prod instance), and this time it returns 29k records. But I notice that this # is actually the # of the last written entry to the index - we write about 29k records every 30 minutes. So I should be pulling way more than 29k records but somehow the ODBC connector limits itself to the last search run time.

Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...