Getting Data In

Show Source and save as CSV truncate large events?

pde
Path Finder

I have records that consist of fairly large (200+ lines, > 20 Kb per record) XML documents.

When I export the results of a search for these records to CSV, the _raw cell is truncated; the full record is not written to the _raw cell (note: not an Excel issue. The records are not larger than the 32K-1 byte Excel maximum, and editing the CSV directly shows that the record is indeed truncated).

The records are similarly truncated in a "Show Source" view.

What gives?

Thanks

-Pete

Tags (2)
0 Karma
1 Solution

steveyz
Splunk Employee
Splunk Employee

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

View solution in original post

0 Karma

steveyz
Splunk Employee
Splunk Employee

When the UI typically issues a request for events, it will ask the backend to truncate long events above a certain number of lines. My guess is that this limit is in force even for show search and export as csv from the UI, because they share a common access point. To get around this issue, you can append "| outputcsv <filename>" to the end of your search, and the full csv file should be written out to $SPLUNK_HOME/var/run/splunk/<filename>

0 Karma

pde
Path Finder

Interesting. The main UI displays the full event...

The solution works, but is of little use to my users, who do not get shell access to the server. I suppose an enhancement is in order.

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...