Hi,
I pull data into Splunk using the REST API Modular Input. The data is returned in json format.
I store the data in one index and run a scheduled search against this index once a day to populate a summary index to use with dashboards and analysis.
The following in verbose mode returns 78k+, but when using to populate the summary index, it only returns 50,000 results into the summary index.
index=rest_ent_prod | spath output=GUID path=users{} | bucket span=1d _time | stats count by _time GUID groupName groupId
Can anyone help me populate the entire data set into the summary index?
Thanks,
Dan
Fixed it with the below.
index=rest_ent_prod | spath output=GUID path=users{} | bucket span=1d _time | table _time GUID groupName groupId | mvexpand GUID | dedup _time, GUID, groupName, groupId | table _time GUID groupName groupId
Fixed it with the below.
index=rest_ent_prod | spath output=GUID path=users{} | bucket span=1d _time | table _time GUID groupName groupId | mvexpand GUID | dedup _time, GUID, groupName, groupId | table _time GUID groupName groupId