Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does Splunk Web limit the total of number of rows in a result that can be exported to a CSV file?

reed_kelly
Contributor
‎12-21-2016 08:24 AM

Does anyone know the technical or another reason that the Splunk Web interface limits the total number of rows of the result set that can be exported to a CSV file? I know that unlimited sizes can be achieved by the REST API or SDK, but I have users who want to extract huge amounts of data. Since they are not handy with the command line, I end up using curl on their behalf.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abhijit_mhatre
Path Finder
‎12-21-2016 09:40 AM

The default limit for csv export from a saved search is 10000. However, if you want to change this:

1) You can go to savedsearches.conf & change it.

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results which you want to export
* Currently defaults to 10000

2) You can export data using outputlookup command which will create a csv file in Splunk. You can export unlimited number of results from the lookup file now. Use this at the end of your query.

For example:
index=abc | search host=* | stats count by b | outputlookup hosts.csv

This will create a lookup file hosts.csv & you can export it by running | inputlookup hosts.csv

Let me know if it helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎12-21-2016 04:13 PM

As far as I have seen it doesn't limit the rows, or maybe I am getting you wrong. However, I think the problem may be in the roles. If you assign a user role to someone his search size is limited to 100MB and therefore it stops once the search occupies more than 100MB. Change "Limit Total Jobs Disk Quota" in the roles settings and this may fix the problem

0 Karma
Reply
Solved! Jump to solution
Solution

abhijit_mhatre
Path Finder
‎12-21-2016 09:40 AM

The default limit for csv export from a saved search is 10000. However, if you want to change this:

1) You can go to savedsearches.conf & change it.

savedsearches.conf
action.email.maxresults = <integer>
* Set the maximum number of results which you want to export
* Currently defaults to 10000

2) You can export data using outputlookup command which will create a csv file in Splunk. You can export unlimited number of results from the lookup file now. Use this at the end of your query.

For example:
index=abc | search host=* | stats count by b | outputlookup hosts.csv

This will create a lookup file hosts.csv & you can export it by running | inputlookup hosts.csv

Let me know if it helps.

0 Karma
Reply
Solved! Jump to solution

reed_kelly
Contributor
‎12-21-2016 11:42 AM

I should have clarified. I am talking about the export to file option on the main search interface. This allows the end user to export directly to their desktop. I suppose exporting to a lookup file would allow this by giving the users access to the Lookup Editor, but that could also increase our search bundle and cause issues with distributed search bundle replication.

There is a maxresultrows=nnn in limits.conf, but the documentation explicitly says not to set this higher than 50000.

My question is Why? And if there is a technical reason, then is there an app that would run the search in the REST API and then let the user download the result >100000000 rows and/or >100GB, etc...

0 Karma
Reply
Solved! Jump to solution

abhijit_mhatre
Path Finder
‎12-22-2016 02:33 AM

There is app "Splunk for Excel Export" which will help you to download 1 million events per workbook. Please check the app compatibility with your Splunk version.

App link : https://splunkbase.splunk.com/app/760/#/details
Splunk for Excel Export

Thanks & Regards,
Abhijit Mhatre

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...