Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

issue pulling large data sets from Splunk using splunk cli - truncated output

ebailey
Communicator
‎08-12-2015 06:29 AM

I need to pull a large set data from Splunk as a scheduled job and then redirect the output to shared storage. I have used the splunk cli for this sort of work before and tried it again.

/opt/splunk/bin/splunk search "index=os sourcetype=iostat bandwUtilPct > 0 earliest=-d@d latest=@d | ta
ble Device,_time,avgSvcMillis,avgWaitMillis,bandwUtilPct,host,rKB_PS,rReq_PS,wKB_PS,wReq_PS" -auth 'test:test' -output csv -maxout 0 > /shared/test/SPLUNK/IO_CSV/test_io.csv

If I run this query from the UI i get arond 13-14 million events, but if I run this query from the cli i get a little over 6 million events. I had thought using "-maxout 0 " preventing truncation or could this be something else? I don't see any error messages for the search so I do not know what else could cause the issue.

Any thoughts?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-12-2015 08:45 AM

Executing regular search from CLI may hit a memory limit. The best way to do it is by using Splunk RESTFUL API . See more details here http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-12-2015 08:45 AM

Executing regular search from CLI may hit a memory limit. The best way to do it is by using Splunk RESTFUL API . See more details here http://blogs.splunk.com/2013/09/15/exporting-large-results-sets-to-csv/

Reply
Solved! Jump to solution

ebailey
Communicator
‎08-12-2015 10:06 AM

Kinda of what I thought - i am lazy so was hoping the built-in tools would work though the rest-api is easy enough.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...