Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Using CURLP PHP to export results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi to all, i'm trying to export result with php curl using this :
curl -u admin:changeme \
-k https://localhost:8089/servicesNS/admin/search/jobs/1423855196.339/results/ \
--get -d output_mode=csv-d count=5
I made different try in php, but i'm not able to pass parameter like output_mode and count.
If i try with CURLOPT_POST and CURLOPT_POSTFIELDS i get "Method Not Allowed"
Can someone help me please?
Thanks and regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I write here complete answer if someone need.
As already wrote the correct query to curl and export results with PHP is:
https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000
Then, the root cause of the results truncated to 10.000 was the sort in the table, solved with
| sort 0 <field>
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I write here complete answer if someone need.
As already wrote the correct query to curl and export results with PHP is:
https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000
Then, the root cause of the results truncated to 10.000 was the sort in the table, solved with
| sort 0 <field>
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i am not wrong there is space between output_mode=csv and -d count=5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the end i was able to do the php curl with a simple GET and calling
https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000
Now the problem is that i get just 10.000 results (should be more than 18.000)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ohk whats is your search?
And do you get the same numberof results into splunk as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also set
this is from the limits.conf:
[restapi]
maxresultrows = <integer>
* Maximum result rows to be returned by /events or /results getters from REST API.
* Defaults to 50000.
As you can see, there is a limit configured.
You have two options now:
1) Enhance the limit to a value that is suitable for you.
2) I think the better option is to repeat your call with a different offset. You split up your requests on this way. Take a look into the answer of this post:
http://answers.splunk.com/answers/25411/upper-limit-for-rest-api-limits-conf-maxresultrows.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default in limits.conf is 50000. Search is an inputlookup | table and it returns more than 18.000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
Sort by default gives 10k results if you want unlimited results then you should use sort limit=0
I hope this helps you!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
