All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ODBC with Tableau not returning full data set

marcjimz
New Member
‎04-07-2017 06:18 AM

Hello there -

I am able to connect to my Splunk saved search in the Tableau desktop tool, but when pulling the results I can only get a partial return of my data set. For some saved searches the max # of records I can get is a 1000, and for others it is 555. I am thinking this is a parameter configured somewhere that is not enabling me to pull all the records.

Any ideas?

0 Karma
Reply

DalJeanis
Legend
‎04-12-2017 09:46 AM

Start by adding | table field1 field2...etc to the end of your search query with the fields you need to return, then retest.

Often, that avoids this issue.

https://answers.splunk.com/answers/93990/savedsearch-command-only-returns-maximum-10000-results.html

If that doesn't solve your problem, then look at limits.conf (maxresultrows) and savedsearches.conf (dispatch.max_count). Neither of these fields normally defaults to 1000, so they are probably not the issue, but those are some places to look.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
http://docs.splunk.com/Documentation/Splunk/6.5.3/Admin/Savedsearchesconf

0 Karma
Reply

marcjimz
New Member
‎04-12-2017 12:37 PM

Thanks DalJeanis for looking into my problem. I tried a different instance of splunk (our non-prod instance), and this time it returns 29k records. But I notice that this # is actually the # of the last written entry to the index - we write about 29k records every 30 minutes. So I should be pulling way more than 29k records but somehow the ODBC connector limits itself to the last search run time.

Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...