Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Export Top X query to CSV with 200,000 lines

EricPartington
Communicator
‎10-14-2010 04:08 PM

I am using splunk 4.1.X and am looking for some clarification for exporting the results of a query that uses | top dest_ip src_ip src_port

I have read this http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events/

method 1 makes sense.

However if i export my query and set the Max # lines to larger than the resultset of the lines returned (210,000 to cover 206,100 lines) will I export all the results or will they get chopped/truncated?

The increased max lines seems to work as expected and I get all the results that I think i should get. Is this the best way to export and will I get all my results?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 12:55 AM

Not sure what you mean, this should work: 

<your search> | outputcsv myoutputfile.csv’

check how many results you get in splunk (206100), pipe to export to csv, open the file, you should have 206101 lines (one extra for the header)..

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎10-15-2010 12:55 AM

Not sure what you mean, this should work: 

<your search> | outputcsv myoutputfile.csv’

check how many results you get in splunk (206100), pipe to export to csv, open the file, you should have 206101 lines (one extra for the header)..

Reply
Solved! Jump to solution

EricPartington
Communicator
‎10-15-2010 05:31 PM

yup that works, but my results are not just a listing 206,100 lines long. They are a listing of the counts of source and dest ip. so the total lines that are used in the | top src_ip, dest_ip would total 206,100 but the output might only be 25 lines long if only 25 hosts make up those events.

I am guessing that the export depends on the number of underlying raw events used to make up the table that is exported?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...