Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Powershell Resource kit Search has Max 100 re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Powershell Resource kit Search has Max 100 results
I have been playing around with the powershell resource kit, trying to use it as a searching interface to use with automation. I am trying to get results in exess of 100 events. Even with the use of the -MaxReturnCount option, it only returns up to 100 (allows to decrease from 100, but not increase above). I have found several other posts on modifying this but not in the powershell resource kit.
As I look at the splunk-core .psm1 file i can see where we could edit the $PostString variable, but thought I should report this as a possible bug.
Example script:
$credential = Get-Credential
Connect-Splunk -Credential $credential –ComputerName Computername
$connection = Get-SplunkConnectionObject
$search = $Connection | Search-Splunk -Search 'source="PS_VMHost_Config" earliest=-10d@d latest=now'-MaxTime 30 -MaxReturnCount 30 -Verbose
Any assistance would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems the powershell parameter maxreturncount creates the header addition "max_count=" when it should simply add "count="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fix committed. Test please! https://github.com/splunk/splunk-reskit-powershell/archive/master.zip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TY Drainy 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Switcharooed to an answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cohatch, why don't you type this up as an Answer so that others can vote on it. I assume that you are talking about changing splunk-search.psm1, line 93 from "max_count" to "count", correct? Write that up as an answer, confirm that you've tested it, and I'll commit it to Github. TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jkcouch. I will get this fixed. I thought we added an override for this but I believe you are you correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cohatch - that fixed it for me too. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any update on this? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Brandon!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
