Getting Data In

Using CURLP PHP to export results

maurelio79
Communicator

Hi to all, i'm trying to export result with php curl using this :

curl -u admin:changeme \
     -k https://localhost:8089/servicesNS/admin/search/jobs/1423855196.339/results/ \
     --get -d output_mode=csv-d count=5

I made different try in php, but i'm not able to pass parameter like output_mode and count.
If i try with CURLOPT_POST and CURLOPT_POSTFIELDS i get "Method Not Allowed"

Can someone help me please?

Thanks and regards.

0 Karma
1 Solution

maurelio79
Communicator

I write here complete answer if someone need.

As already wrote the correct query to curl and export results with PHP is:

https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000

Then, the root cause of the results truncated to 10.000 was the sort in the table, solved with

| sort 0 <field>

Regards.

View solution in original post

0 Karma

maurelio79
Communicator

I write here complete answer if someone need.

As already wrote the correct query to curl and export results with PHP is:

https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000

Then, the root cause of the results truncated to 10.000 was the sort in the table, solved with

| sort 0 <field>

Regards.

0 Karma

mayurr98
Super Champion

If i am not wrong there is space between output_mode=csv and -d count=5

0 Karma

maurelio79
Communicator

At the end i was able to do the php curl with a simple GET and calling

https://localhost:8089/services/search/jobs//results/?output_mode=csv&count=50000

Now the problem is that i get just 10.000 results (should be more than 18.000)

0 Karma

mayurr98
Super Champion

Ohk whats is your search?
And do you get the same numberof results into splunk as well?

0 Karma

mayurr98
Super Champion

Also set
this is from the limits.conf:

 [restapi]
 maxresultrows = <integer>
 * Maximum result rows to be returned by /events or /results getters from REST API.
 * Defaults to 50000.
As you can see, there is a limit configured.

You have two options now:

1) Enhance the limit to a value that is suitable for you.
2) I think the better option is to repeat your call with a different offset. You split up your requests on this way. Take a look into the answer of this post:

http://answers.splunk.com/answers/25411/upper-limit-for-rest-api-limits-conf-maxresultrows.html

0 Karma

maurelio79
Communicator

Default in limits.conf is 50000. Search is an inputlookup | table and it returns more than 18.000

0 Karma

mayurr98
Super Champion

Hey
Sort by default gives 10k results if you want unlimited results then you should use sort limit=0
I hope this helps you!

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...