Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Number of events in GUI search does not match number of events in output of export API

andrewbeak
Path Finder
‎10-31-2018 10:52 AM

Hi,

I am trying to export data from Splunk to ingest it into another analysis tool.

If I search Splunk for this:

index="myindex" earliest=01/01/2018:00:00:00 latest=01/31/2018:23:59:59

Then in the search summary that appears under the search bar it says there are 18,531,517 events.

I exported my data for January 2018 using the command

curl -k -u user:password "https://myinstallation.splunkcloud.com:8089/services/search/jobs/export" --data-urlencode
search='search index="myindex" earliest=01/01/2018:00:00:00 latest=01/31/2018:23:59:59' -d output_mode=c
sv -o results_january.csv

When I count the results using either wc -l or by using grep to count the number of times the string containing my input file occurs in the file I get 18715731 results. I decided to try counting the string in case Splunk was including a new line in the output which would break wc counting. But any way that I use to count shows that there are 18715731 results.

In other words, I have exported 18,715,731 results but Splunk says there are only 18,531,517 events.

So there are 184,214 extra events in the output. The Splunk GUI has about 10% fewer events than the export tool gives.

How can I reliably pull data from Splunk? How do I know which of the Splunk reports are incorrect? The search results or the export results?

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...