However if i export my query and set the Max # lines to larger than the resultset of the lines returned (210,000 to cover 206,100 lines) will I export all the results or will they get chopped/truncated?
The increased max lines seems to work as expected and I get all the results that I think i should get. Is this the best way to export and will I get all my results?
yup that works, but my results are not just a listing 206,100 lines long. They are a listing of the counts of source and dest ip. so the total lines that are used in the | top srcip, destip would total 206,100 but the output might only be 25 lines long if only 25 hosts make up those events.
I am guessing that the export depends on the number of underlying raw events used to make up the table that is exported?