Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I export search results with 10 million rows?

nbharadwaj
Path Finder
‎07-17-2010 12:53 AM

I am trying to export 10 million rows to a CSV. I want to explore options available for the following versions:

  • SplunkWeb 4.0.10
  • Splunk API/CLI 4.0.10

I also want to know what enhancements are in place in the latest 4.1.3 version for both Web and API/CLI

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-19-2010 03:31 PM

This depends a bit on whether you just need to export raw events or the result of a reporting/summarizing search.

In either case, it's a difficult task with 4.0.x. For a raw events search, one method is to write code and be clever in accessing the REST endpoints directly to "page" through the data. For either a raw or statistical events search, you can use outputcsv to persist even more rows to disk and retrieve them directly.

For 4.1.x, the CLI can emit an unlimited stream of raw events (in reverse-time order), however this data will not be CSV. This is achieved by setting -maxout 0. For a reporting/summarizing search, the limit is 500k and can be paged through using the REST API.

View solution in original post

Reply
Solved! Jump to solution

nbharadwaj
Path Finder
‎07-23-2010 05:16 AM

Yes I am referring to (hopefully) improved large data export functionality in 4.1.x

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎07-19-2010 03:31 PM

This depends a bit on whether you just need to export raw events or the result of a reporting/summarizing search.

In either case, it's a difficult task with 4.0.x. For a raw events search, one method is to write code and be clever in accessing the REST endpoints directly to "page" through the data. For either a raw or statistical events search, you can use outputcsv to persist even more rows to disk and retrieve them directly.

For 4.1.x, the CLI can emit an unlimited stream of raw events (in reverse-time order), however this data will not be CSV. This is achieved by setting -maxout 0. For a reporting/summarizing search, the limit is 500k and can be paged through using the REST API.

Reply
Solved! Jump to solution

nbharadwaj
Path Finder
‎07-23-2010 05:17 AM

Thanks, paging is fairly tedious in 4.0.x. I am hoping its improved in 4.1.x. I am interested only in reporting or summarized searches.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎07-17-2010 02:58 AM

Those are two very different questions. You may want to open a second question for the 4.1.x question. Or are you referring to changes in 4.1.x purely related to large data exports?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...