Developing for Splunk Enterprise

How to stream Partial Results from Custom Search Command in Splunk?

sourav_query_ai
New Member

Hi there, 

I am trying to implement a use case where I have an API that keeps sending partial results (around 50-100) until all the results from the API are done. 

I have implemented a GeneratingCommand for it, and it returns correct results. 

However, I have to wait for quite some time, because Splunk returns results only when all the results from API are collected in Splunk. 

The use case I want: I do not wish to wait for all results, but I want to have the partial results returned in Splunk as soon as they are returned from the API - so I do not have to wait.

I have tried:

1) adding limits.conf

2) using chunked=True

3) editing maxresultrows and maxresults 

4) using flush() results 

5) converting to streaming command and using above steps 

But nothing seems to work. 

Please help, any help would be really appreciated. 

 

Labels (2)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!