Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to export the results of a Splunk search that contains transforming commands?

CarbonCriterium
Path Finder
‎03-09-2022 07:06 PM

I am looking to export the results of a Splunk search that contains transforming commands.  When I run the same search in the web GUI the live results "hang" on 50,000 stats, but once the search is complete it shows more than 300,000.  (screenshots provided below)

  • Using the Splunk API, I want to export all results in a .json format, and
  • I only want to view the final results; I do not want to view the results as they are streamed
  • In essence I want to avoid the API returning any row where:
"preview":true

What am I missing?

 

While performing searchWhile performing searchFinished resultsFinished results

 

 

 

 

 

 

 

 

Using python 3.9's  requests, my script contains the following:

 

 

 

headers={'Authorization': 'Splunk %s' % sessionKey}
parameters={'exec_mode': "oneshot", 'output_mode':output_type, 'adhoc_search_level':'fast', 'count':0}    

with post(url=baseurl + '/services/search/jobs/export',params=parameters, data=({'search': search_query}), timeout=60, headers=headers, verify=False, stream=True) as response:

 

 

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-09-2022 11:56 PM

How long does your search take? You have a timeout of 60 (seconds?) - could this be increased?

0 Karma
Reply

CarbonCriterium
Path Finder
‎03-10-2022 04:57 AM

The trouble is not the timeout.  When the Splunk search is complete the results are successfully moved into an output file.  

I am interested in learning how to return only the final results of ~300,000 rows from Splunk.  The current URI path and parameters are leading to an output of more than 1,924,900 rows.  I think this is some indication that Splunk is streaming "live" results and I only want the final results.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 05:03 AM

I don't know how this works but I did notice that you have stream=True - could this be the issue? Have you tried with stream=False?

0 Karma
Reply

CarbonCriterium
Path Finder
‎03-10-2022 06:00 AM

The instance of "Stream=True" that you are referring to is not related to any part of the request to Splunk's REST API.

This is part of the python requests module/library that, if the response is available as a stream, reads the response as a stream.  Further into the script this allows for the results to be written "live" as they are returned... instead of as one massive 2,924,899 line file.  In essence, this is a band-aid to patch the issue I am actually asking in my question.

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top