I'm running into an issue with using the Splunk API and it only returning 30 records. I've searched the Splunk API, ATOM and opensearch documentation and I am still unable to determine how to page the records.
For example I am querying to get the current data inputs by calling https://%basesplunkurl%:8089/services/data/inputs/monitor
This returns a document with 30 records and the opensearch fields indicating that there is 34 records total.
opensearch:totalResults34/opensearch:totalResults opensearch:itemsPerPage30/opensearch:itemsPerPage opensearch:startIndex0/opensearch:startIndex
What do I have to do to get the next page of results? In this example the last 4 data input records?
So I used the web console and the splunkd_access.log file to figure out that the requests to these objects uses the opensearch REST parameters.
I changed my url to include a trailing ?count=-1 to return all records.
EX: https://%basesplunkurl%:8089/services/data/inputs/monitor?count=-1
View solution in original post
In general, you can use the offset parameter to get the next offset of results. So in your case, you'd pass in offset=30.
offset=30
