Splunk Search

Custom Splunk search command only returns 100 results

moorhead_30s
New Member

Hello,
I'm writing a custom Splunk search command that runs a query on another Splunk host, then returns those results. Unfortunately, no matter what inputs I use in the search or arguments I change for the job creation the search only returns 100 results, but the job object returned by the Python SDK correctly identifies the ~30k results it should have in job['resultCount'].

Is there something I am missing in this process to get the SDK to give me all of the results? Please note that the command is called "ril", and it does not modify the results from the job at all, it only returns them. I will include as much information as I can below as to how the command is integrated into the app.

Thank you in advance.

ril.py (edited for brevity)

service = client.connect(host=HOST, port=PORT, username=USERNAME, password=PASSWORD)

query = QUERY
kwargs = {"exec_mode": "normal", "count" : 0}
job = service.jobs.create(query, **kwargs)

# Poll for completion
while True:
    while not job.is_ready():
        pass
    if job["isDone"] == "1":
        break
    sleep(0.5)

# Touch each result, make a dict of them to be passed to Intersplunk.outputResults()
newresults = []
for result in results.ResultsReader(job.results()):
    newresults.append(result)

# Output results to Splunk
Intersplunk.outputResults(newresults)

commands.conf

[ril]
filename = ril.py
generating = true
local=true

default.meta

[]
access = read : [ * ], write : [ admin, power ]
0 Karma

vkannampuzha
Explorer

Amend your code at line 17 and try this:

for result in results.ResultsReader(job.results(count=0)):

otherwise, you may have to edit your limits.conf file to add a stanza like below:

[restapi]
maxresultrows = 4294967295

Hopefully, that does the trick.

0 Karma

vasanthmss
Motivator

what's the query?

V
0 Karma

moorhead_30s
New Member

It is simply an inputlookup with nothing after. I intend for this command to be a remote version of inputlookup to allow synchronizing lookups based on Splunk triggers.

The name of the lookup/csv file as well as any arguments passed in the custom command are directly passed into the inputlookup command on the remote server as well, but no other SPL commands are included in that query.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...