Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Export to csv is not fetching all the results - Python /Splunk SDK

pchp348
Explorer
‎12-10-2018 06:15 AM

I do have a Python code to run an query and export the search results to .csv files. The program is working perfectly fine but when i opened the search results i could not see all the results. I just validated the same by running the query manually in splunk and exported the result and compared the results with the one which is generated through my code. I am running the query for last 2 hours.

My Code -
import time
import splunklib.client as client
import splunklib.results as results
import csv

import random

HOST = "Server"
PORT = 8089
USERNAME = "user"
PASSWORD = "password"

service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)

My splunk query file

with open('H:\Query1.txt', 'r') as myfile:
Splunk_query=myfile.read()

Executing the query for last 2 hours

results_kwargs = {
"earliest_time": "-2h",
"latest_time": "now",
"search_mode": "normal",
"output_mode": "csv"
}

oneshotsearch_results = service.jobs.oneshot(Splunk_query, **results_kwargs)
f=open("H:\lasttwohours.csv", 'w')
f.write(oneshotsearch_results.read())
f.close()

Kindly help me with the export with the absolute results which i am getting it from splunk.

NOTE : I dont have permission to change any .conf file since this is the restricted environment. I can run my program and get the results from splunk.

Labels (2)
Labels
0 Karma
Reply

lesley_lin
New Member
‎10-16-2019 08:42 PM

http://dev.splunk.com/view/python-sdk/SP-CAAAEE5
The document says:

By default, one-shot searches will return a maximum of 100 events, even if there are more than 100 events in the search results. To return more than 100 events, add the following parameter to your one-shot search's arguments:
"count": 0
The count parameter, when set to zero, indicates that there is no limit to the number of events to be returned.

Maybe you could try to modify your search query.

0 Karma
Reply

lesley_lin
New Member
‎10-16-2019 11:11 PM

Like this:
job = service.jobs.oneshot(searchquery, **results_kwargs, count=0)

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...