Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Export Top X query to CSV with 200,000 lines

EricPartington
Communicator
‎10-14-2010 04:08 PM

I am using splunk 4.1.X and am looking for some clarification for exporting the results of a query that uses | top dest_ip src_ip src_port

I have read this http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events/

method 1 makes sense.

However if i export my query and set the Max # lines to larger than the resultset of the lines returned (210,000 to cover 206,100 lines) will I export all the results or will they get chopped/truncated?

The increased max lines seems to work as expected and I get all the results that I think i should get. Is this the best way to export and will I get all my results?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 12:55 AM

Not sure what you mean, this should work: 

<your search> | outputcsv myoutputfile.csv’

check how many results you get in splunk (206100), pipe to export to csv, open the file, you should have 206101 lines (one extra for the header)..

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 12:55 AM

Not sure what you mean, this should work: 

<your search> | outputcsv myoutputfile.csv’

check how many results you get in splunk (206100), pipe to export to csv, open the file, you should have 206101 lines (one extra for the header)..

Reply
Solved! Jump to solution

EricPartington
Communicator
‎10-15-2010 05:31 PM

yup that works, but my results are not just a listing 206,100 lines long. They are a listing of the counts of source and dest ip. so the total lines that are used in the | top src_ip, dest_ip would total 206,100 but the output might only be 25 lines long if only 25 hosts make up those events.

I am guessing that the export depends on the number of underlying raw events used to make up the table that is exported?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...