Hi,

I am trying to export data from Splunk to ingest it into another analysis tool.

If I search Splunk for this:

index="myindex" earliest=01/01/2018:00:00:00 latest=01/31/2018:23:59:59 

Then in the search summary that appears under the search bar it says there are 18,531,517 events.

I exported my data for January 2018 using the command

curl -k -u user:password "https://myinstallation.splunkcloud.com:8089/services/search/jobs/export" --data-urlencode
search='search index="myindex" earliest=01/01/2018:00:00:00 latest=01/31/2018:23:59:59' -d output_mode=c
sv -o results_january.csv

When I count the results using either wc -l or by using grep to count the number of times the string containing my input file occurs in the file I get 18715731 results. I decided to try counting the string in case Splunk was including a new line in the output which would break wc counting. But any way that I use to count shows that there are 18715731 results.

In other words, I have exported 18,715,731 results but Splunk says there are only 18,531,517 events.

So there are 184,214 extra events in the output. The Splunk GUI has about 10% fewer events than the export tool gives.

How can I reliably pull data from Splunk? How do I know which of the Splunk reports are incorrect? The search results or the export results?