I can see that there are over 10000 record per list (Threat Intelligence) in Splunk ES Web UI. But I can ONLY export 10000 records per list. May I know if there is a limitation on that (max. 10000 record per list) instead of parse or normalize 10000 records ONLY. Thanks.
I means I cannot to export my TI from the ES, the menu path as below
Splunk > App: Enterprise Security > Threat Artifacts >
Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.
Are you using "sort" command somewhere in your query? That limits the records to 10,000 by default. Use zero like "Sort 0 field1 field2" to include all records.
Thanks, I try it now.
I means I cannot to export my TI from the ES, the menu path as below
Splunk > App: Enterprise Security > Threat Artifacts >
Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.
Hi,
You can find the answer in another post :
https://answers.splunk.com/answers/371296/how-do-i-get-more-than-10000-results-in-the-csv-fi.html
Regards,
Thank you for the link but I am not sure for the configuration file location. I tried to find the file "savedsearched.conf" and got some results.
I means I cannot to export my TI from the ES, the menu path as below
Splunk > App: Enterprise Security > Threat Artifacts >
Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.