Solved: Re: Splunk Enterprise 7.03 Python SDK Pagination H...

pdibenedetto · ‎04-20-2018

Good Morning,

I am working with:

Splunk Version
7.0.3
Splunk Build
fa31da744b51

I have built my search and when I run it in the dashboard, I see all 360 results that I am expecting; however, when I execute my saved search via the Python SDK I only get 100 results back. I believe it is related to pagination, but cannot figure out the correct parameters to solve the problem. Here is what I am running:

import splunklib.client as client
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
...

            mysavedsearch = service.saved_searches[splunk_report]

            # Run the saved search
            job = mysavedsearch.dispatch()
     for result in results.ResultsReader(job.results()):

. .........process the response.

I see reference to count in other posts but mostly when executing a search not a saved_search. Any advice on what parameter to use would be appreciated.

Thanks.

damien_chillet · ‎04-20-2018

Hey,

Good news, the fix is very easy!
By default ResultsReader is limited to 100 raws, just add count=0 in job.results() arguments and you should get the whole thing!

for result in results.ResultsReader(job.results(count=0)):

View solution in original post

pdibenedetto · ‎04-20-2018

Thank you very much! That did the trick.

Pete

damien_chillet · ‎04-20-2018

Hey,

Good news, the fix is very easy!
By default ResultsReader is limited to 100 raws, just add count=0 in job.results() arguments and you should get the whole thing!

for result in results.ResultsReader(job.results(count=0)):

Splunk Enterprise 7.03 Python SDK Pagination Help

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform