Getting Data In
Highlighted

Export Top X query to CSV with 200,000 lines

Communicator

I am using splunk 4.1.X and am looking for some clarification for exporting the results of a query that uses | top dest_ip src_ip src_port

I have read this http://blogs.splunk.com/2009/08/07/help-i-cant-export-more-than-10000-events/

method 1 makes sense.

However if i export my query and set the Max # lines to larger than the resultset of the lines returned (210,000 to cover 206,100 lines) will I export all the results or will they get chopped/truncated?

The increased max lines seems to work as expected and I get all the results that I think i should get. Is this the best way to export and will I get all my results?

Thanks

Tags (2)
0 Karma
Highlighted

Re: Export Top X query to CSV with 200,000 lines

Splunk Employee
Splunk Employee

Not sure what you mean, this should work:

<your search> | outputcsv myoutputfile.csv’

check how many results you get in splunk (206100), pipe to export to csv, open the file, you should have 206101 lines (one extra for the header)..

View solution in original post

Highlighted

Re: Export Top X query to CSV with 200,000 lines

Communicator

yup that works, but my results are not just a listing 206,100 lines long. They are a listing of the counts of source and dest ip. so the total lines that are used in the | top srcip, destip would total 206,100 but the output might only be 25 lines long if only 25 hosts make up those events.

I am guessing that the export depends on the number of underlying raw events used to make up the table that is exported?

0 Karma