Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Threat Intelligence list export limitation at 10,000 record?

owenpcyip
New Member
‎12-08-2017 01:47 AM

I can see that there are over 10000 record per list (Threat Intelligence) in Splunk ES Web UI. But I can ONLY export 10000 records per list. May I know if there is a limitation on that (max. 10000 record per list) instead of parse or normalize 10000 records ONLY. Thanks.

0 Karma
Reply

owenpcyip
New Member
‎12-14-2017 06:42 PM

I means I cannot to export my TI from the ES, the menu path as below

Splunk > App: Enterprise Security > Threat Artifacts >

Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.

0 Karma
Reply

nabeel652
Builder
‎12-09-2017 02:21 AM

Are you using "sort" command somewhere in your query? That limits the records to 10,000 by default. Use zero like "Sort 0 field1 field2" to include all records.

0 Karma
Reply

owenpcyip
New Member
‎12-10-2017 06:34 PM

Thanks, I try it now.

0 Karma
Reply

owenpcyip
New Member
‎12-14-2017 06:42 PM

I means I cannot to export my TI from the ES, the menu path as below

Splunk > App: Enterprise Security > Threat Artifacts >

Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.

0 Karma
Reply

pleymort
Explorer
‎12-08-2017 06:13 AM

Hi,

You can find the answer in another post :
https://answers.splunk.com/answers/371296/how-do-i-get-more-than-10000-results-in-the-csv-fi.html

Regards,

0 Karma
Reply

owenpcyip
New Member
‎12-10-2017 06:37 PM

Thank you for the link but I am not sure for the configuration file location. I tried to find the file "savedsearched.conf" and got some results.

0 Karma
Reply

owenpcyip
New Member
‎12-14-2017 06:42 PM

I means I cannot to export my TI from the ES, the menu path as below

Splunk > App: Enterprise Security > Threat Artifacts >

Then, I get my TI result and would like to export it (over 10,000 records are there) to csv format but finally I just get only 10,000 records from the csv.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...